Nobelium, the threat actor behind the 2020 attack on SolarWinds, compromised at least three Microsoft customers under a new round of attacks using password spraying and brute force, according to a Microsoft security blogpost released Friday.
As part of its investigation, Microsoft discovered information-stealing malware was placed on one of its customer service agent's machines. The basic account information gathered was then used to launch targeted attacks against various organizations, as part of a larger campaign, Microsoft said.
Targeting organizations in 36 countries, the actors mainly attacked IT companies and government agencies, according to Microsoft. The group also targeted a small number of NGOs, think tanks and financial services companies, mainly focusing efforts on organization in the U.S., U.K., and a smaller number in Germany and Canada.
The new attacks come about a month after Microsoft sounded the alarm on Nobelium, when the threat actor leveraged an account through the Constant Contact email marketing service to launch phishing attacks. The May attacks targeted about 350 organizations, including government agencies and NGOs.
The latest round highlights the need for companies to emphasize the need for strong passwords, according to Kev Breen, director of cyber threat research at Immersive Labs.
"We know from experience that the Nobelium group is a capable threat actor from their role in last year's SolarWinds compromise," Breen said via email. "Despite the proficiency shown in these earlier attacks, we can see from password reuse and brute force is still a common tactic used by almost every threat group. We'll keep banging this drum, but this just highlights the importance of proper password usage."
The new campaign also reinforces the need to use multifactor authentication and to enforce zero-trust architecture, according to Microsoft. The company's customer service agents were configured with the minimal set of permissions allowed as part of its "least privileged access" approach to customer information.
For federal officials, the attack reinforces the need for organizations to implement steps outlined in the May 12 executive order on cybersecurity from the Biden administration. The order calls for greater information sharing between the private sector and federal authorities, in part so other companies can be notified as soon as organizations are impacted by outside attacks and also share those indicators of compromise, so other private sector entities know what to look for.
"CISA is aware of this activity and is working with Microsoft and our interagency partners to evaluate the impact," Nicky Vogt, a spokesperson for the Cybersecurity and Infrastructure Security Agency said in a statement.
During the original SolarWinds attacks in 2020, the threat actor used applications with privileged access in Microsoft Office 365 and Azure to attack Malwarebytes. Mimecast was also hit in a supply chain attack that compromised its authentication certificates.
The supply chain attacks were examples of how companies in the current environment need to constantly monitor and reassess the level of access they provide to vendors, because with excess permissions they can easily fall victim to a third-party attack.
SolarWinds said this latest round of attacks involving Microsoft has nothing to to with the company. "The latest cyberattack reported by Microsoft does not involve our company or our customers in any way," a spokesperson for SolarWinds said.