Microsoft says the same Russian hacking group behind the compromise of the SolarWinds Orion platform is targeting IT service providers and cloud technology resellers to leverage their privileged access to end customer networks.
In a series of blogs, Microsoft says the threat actor it calls Nobelium is targeting cloud service providers, managed service providers and other IT services organizations that have administrative privileges to customer networks and has been doing so for at least five months.
The company has been tracking this activity since May, and has notified more than 140 resellers and technology providers that have been targeted. Of those targets, as many as 14 have been successfully compromised.
According to Microsoft, the attacks targeting IT service providers are part of a larger overall campaign between July 1 and Oct. 19 that includes more than 600 targets and nearly 23,000 individual attacks, with success rates in the low single digits.
“By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years,” said Tom Burt, corporate vice president of customer security and trust, in a Microsoft blog post.
Along with the SolarWinds compromise and other attacks against the IT supply chain, this activity suggests the Russian nation-state actor is “train to gain long-term, systematic access to a variety of points in the technology sup ply chain” with the goal of spying on targets of interest, Burt wrote.
According to Microsoft, the threat actor isn’t leveraging software vulnerabilities, but is instead using common techniques like phishing and password spraying to steal credentials and gain privileged access to appear as a legitimate service provider.
By compromising accounts at the service provider level, a threat actor can take advantage of several potential access vectors, including delegated administrative privileges and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access, the Microsoft Threat Intelligence Center said in a blog.
In one case, Nobelium chained together artifacts and access across four separate providers to reach their end target, compromising service providers that had both remote and on-premises access to a customer’s network.
For service providers and Microsoft partners that rely on elevated privileges, Microsoft recommends they:
- Verify and monitor compliance with Microsoft Partner Center security requirements.
- Ensuring multifactor authentication (MFA) and conditional access policies are enforced. All Microsoft partners are required to use MFA to access Partner Center.
- Monitor if any user logins or API calls are not compliant with MFA enforcement.
- Adopt the Secure Application Model Framework.
- Check the Partner Center Activity Logs for suspicious activity.
- Remove delegated administrative privileges when not in use.