Almost a year ago, security researchers discovered one of them The most serious data breach In modern history, if not: the Kremlin-supported hacking activity destroyed the servers of the network management provider SolarWinds and from there the networks of its 100 most famous customers, including nine US federal agencies.
Nobelium-the name Microsoft gave to the intruder-was eventually expelled, but the organization never gave up, it can be said that it has only become more brazen and better at invading a large number of targets in one strike.The latest reminder of the organization’s proficiency comes from the security company Mandiant, which on Monday Published research Details Nobelium’s many feats-and some mistakes-as it continues to disrupt some of its highest-value goals of the network.
Abuse of trust
One of the reasons that makes Nobelium so powerful is the creativity of its TTP, a hacker jargon used for tactics, techniques, and procedures. Instead of breaking into every target one by one, the organization invaded SolarWinds’ network and used access rights and customer trust in the company to push malicious updates to approximately 18,000 customers.
Almost immediately, hackers can penetrate the networks of all these entities. This is similar to a thief breaking into a locksmith’s house and obtaining a master key that can open the door of every nearby building, saving you the trouble of having to open every lock. Nobelium’s approach is not only scalable and efficient, but it also makes large-scale compromises easier to hide.
Mandiant’s report shows that Nobelium’s originality has not wavered. Company researchers said that since last year, the two hacker groups involved in the SolarWinds hacking incident-one named UNC3004 and the other named UNC2652-have been constantly devising new methods to effectively invade a large number of targets.
These groups did not poison SolarWinds’ supply chain, but disrupted the network of cloud solution providers and managed service providers (CSP). These outsourced third-party companies are the third-party companies that many large companies rely on to provide a wide range of IT services. Hackers then found clever ways to use these infected providers to invade their customers.
Monday’s report stated: “This intrusion reflects a resourceful threat actor’s high level of concern for operational safety.” “Abusing a third party, in this case a CSP, can promote exposure to a wide range of potentials through a compromise. victim.”
Advanced craftsmanship
Advanced craftsmanship does not stop there. According to Mandiant, other advanced strategies and ingenuities include:
- Economically motivated hackers use malware to steal credentials, such as Encrypted robot, An information stealer that collects system and web browser credentials and cryptocurrency wallets. The help from these hackers enables UNC3004 and UNC2652 to destroy the target even without using the hacked service provider.
- Once the hacker organization enters the network, they will destroy corporate spam filters or other software with “application impersonation permissions” that can access email or other types of data from any other account on the infected network. Cracking this single account can avoid the hassle of having to break into each account individually.
- Misuse of legitimate residential agency services or geolocation cloud providers (such as Azure) to connect to the final target. When the administrators of the hacked company checked the access logs, they found that the connection came from a reputable local ISP or a cloud provider located in the same region as the company. This helps to cover up intrusions, because state-sponsored hackers often use private IP addresses that raise suspicion.
- Ingenious ways to bypass security restrictions, such as extracting virtual machines to determine the internal routing configuration of the network they want to invade.
- Gain access to Active Directory stored in the target Azure account and use this powerful management tool to steal encryption keys, which generate tokens that can bypass two-factor authentication protection.This technique provides the so-called Gold SAML, It’s similar to unlocking each using Security Assertion Markup Language, Which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
- Use a custom downloader called Ceeloader.
