The Microsoft Threat Intelligence Center (MSTIC) shared a report warning that NOBELIUM—the threat actor behind the SolarWinds attacks—is targeting delegated administrative privileges as part of a larger malicious campaign.
Microsoft cautions that attackers are attempting to gain access to downstream customers of multiple cloud providers, managed service providers (MSPs), and IT services organizations in what at first glance appears to be a standard threat intelligence report, but upon examination more closely resembles a technical vulnerability disclosure.
Microsoft is calling it a nation-state attack based on the attribution to NOBELIUM. Following discovery of the SolarWinds attacks, US intelligence agencies and other nations determined that NOBELIUM is part of the Russian foreign intelligence service SVR.
“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers,” explained Tom Burt, Corporate Vice President for Customer Security & Trust at Microsoft, in a blog post.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”
This activity is a variation on a supply chain attack—targeting a single entity with access to hundreds or thousands of customers rather than attempting to attack each one of those customers individually. It is similar to the strategy behind the DeadRinger and GhostShell campaigns uncovered by Cybereason.
Microsoft shares some details of their assessment and provides some mitigation and remediation guidance with their report. The guidance stresses that cloud service providers and organizations that rely on elevated privileges should implement multifactor authentication and review activity logs. They also suggest that organizations remove delegated administrative privilege (DAP) connections that are dormant or not actively used.
One thing that seems implied in the Microsoft report—but is not overtly stated—is that these attacks have targeted or were discovered within Microsoft’s own platforms and products. While this is framed as threat research, the report actually looks more like a technical customer security advisory informing Microsoft customers that they are potentially exposed and vulnerable.
The report references “cloud platforms'' generically without stating explicitly that it is talking about its own Azure cloud service. Furthermore, the report states that MSTIC continues to observe, monitor, and notify affected customers and partners, and that the Microsoft Detection and Response Team (DART) and Microsoft Threat Experts have engaged with affected customers to assist with incident response—which reads like a veiled admission about these attacks having slipped past Microsoft security defenses and impacting Microsoft customers.
The image included in the report as an illustration of the attack chain references a generic “cloud services provider” but only subtly acknowledges abuse of the Azure AD trust relationship and Azure within an IT provider environment as elements of the detected intrusions.
Microsoft struggles with security on every front and does an insufficient job of protecting its own products and platforms. There have been nearly 40 vulnerabilities—25 of which are ranked as High or Critical severity—in the Windows 11 operating system that was only launched publicly a few weeks ago, and researchers recently discovered malicious files associated with Conti ransomware being hosted from Microsoft’s OneDrive cloud storage.
It is a good thing that Microsoft has shared this report and provided the guidance they have. But it's disingenuous to not be more up front about the impact of the attack on Microsoft itself and Microsoft customers. Microsoft has a dominant role in the IT infrastructure of companies around the world, and their failure to prioritize security continues to put everyone at risk.
Is the threat actor in this case NOBELIUM? We will have to take Microsoft’s word for it. The notion of leveraging upstream identity compromise to take advantage of the trust relationship and compromise downstream targets certainly fits their standard methodology. However, Microsoft does not include the “smoking gun” that points from Russia to these targets, and they have not shared enough information in what they have made public to determine the accuracy of attributing this activity to NOBELIUM or Russia.
In general, organizations face significant consequences if they get compromised by threat actors. The severity of those consequences is exponentially worse, though, when the compromise flows downstream and leads to a compromise of customer networks and data as well.
Organizations that have the privilege of managing or servicing customers downstream have an exponentially greater responsibility to get things right. Security is not just a “differentiator” for these companies—it’s a necessity. Managing customers is a privilege, not a right. It can be easily lost if resellers don’t get this right now.
Today, the supply chain is one of the weakest paths to compromise. It is inadequately defended in most organizations. That said, there is—by definition—always a “weakest link.” Historically, this has taken the form of either human error through things like poor security controls and falling for phishing scams, or vulnerabilities or weaknesses in hardware and software configuration.
Attackers develop methodologies to build exploits on weakest links, or—more accurately—weakest paths. But simply blocking these avenues wouldn’t solve the problem. The best chance of success for defenders is to deploy a detection strategy and, specifically Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) technology that can spot the abuse of trusted software as the starting point of an attack and provide the visibility and context necessary to take immediate action to shut it down.