A cyber campaign linked to the SolarWinds threat actor could force the industry to rethink the way it approaches enterprise security, researchers warned. Supply chain relationships are no longer assumed to be safe and anticipating a breach has become a standard posture.
The threat actor Microsoft identified as Nobelium leveraged an account through the email marketing service Constant Contact to send malicious emails to more than 350 organizations, including federal agencies and NGOs, Microsoft disclosed last week. Researchers said the new attack has been underway since January, showing that despite efforts to mitigate SolarWinds, the same attackers were actively seeking out new attack vectors.
After obtaining a court-order, federal authorities last week seized two command-and-control and malware distribution domains used in the Nobelium phishing campaign, according to an announcement Tuesday by the Department of Justice.
Almost six months after the SolarWinds supply chain compromise was uncovered, Microsoft researchers said the threat actor used an attack vector that managed to evade certain automated detection systems.
"These attacks were targeted and did not have the significant reach as the previous SolarWinds exploitation, but they have some unique characteristics," John Hammond, senior security researcher at Huntress, said via email. "The threat actors evolved and adapted their tactics to determine which phishing emails would most often be clicked."
The threat actor weaponized Constant Contact to push out the malicious emails, which then smuggled in an ISO file that later launched a Cobalt Strike beacon, he said.
The threat actor was able to evade traditional security defenses by leveraging a system that was thought to be sending emails from a trusted source. This attack demonstrates that many of the operating assumptions used to protect systems from malicious attack may ultimately not be good enough, Joseph Blankenship, vice president, research director at Forrester Research said.
"So really what they're taking advantage of is the trust we have that certain senders are good senders," Blankenship said.
The Waltham, Massachusetts-based email marketing firm was aware that the account credentials of one of its customers was compromised and "used by a malicious actor" to access the Constant Contact account, a company spokesperson said. The referenced customer was not named by the spokesperson.
The malicious activity was "an isolated incident" and the account was temporarily disabled while Constant Contact is working in cooperation with the customer, who has notified law enforcement, the spokesperson said.
Kev Breen, director of cyber threat research at Immersive Labs, said the techniques used in this attack are well known and have been used often in the past, but what is unique in this case is the way the threat actor assembled the various methods to carry out the campaign.
"We've seen ISO containers used before, we've seen Dropboxes used before, we've seen HTML smuggling used before," Breen said. "I think what really sets this one apart is the use of all those together."
The Cybersecurity & Infrastructure Security Agency said it is working with the FBI to address "malicious activity by a cyber threat actor that leveraged an account hosted by a third-party email service to send malicious emails to approximately 350 organizations," which includes NGOs and federal agencies. CISA did not name the threat actor and said it has not found any significant impact on federal government agencies linked to the activity.
"CISA continues to work with the FBI to understand the scope of these activities and assist potentially impacted entities," the agency said in a statement, while encouraging affected organizations to take steps recommended in its latest alert.
FBI officials said they will continue to use aggressive tactics to deter malicious cyber activity.
"The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public," Bryan Vorndran, assistant director of the FBI's Cyber Division, said in the announcement. "We will continue to use all of the tools in our toolbelt to leverage our domestic and international partnerships to not only disrupt this type of hacking activity, but to impose risk and consequences upon our adversaries to combat these threats."