SolarWinds Attackers Spotted Using New Tactics, Malware

One year after the disruptive supply-chain attacks, researchers have observed two new clusters of activity from the Russia-based actors that signal a significant threat may be brewing.

One year after the notorious and far-reaching SolarWinds supply-chain attacks, its orchestrators are on the offensive again. Researchers said they’ve seen the threat group – which Microsoft refers to as “Nobelium” and which is linked to Russia’s spy agency – compromising global business and government targets with novel tactics and custom malware, stealing data and moving laterally across networks.

Researchers from Mandiant have identified two distinct clusters of activity that can be “plausibly” attributed to the threat group, which they track as UNC2452, they said in a report published Monday.

Mandiant has tracked the latest activity as UNC3004 and UNC2652 since last year and throughout 2021, observing the compromise of a range of companies that provide technology solutions, cloud and other services as well as resellers, they said.

We want to know what your biggest cloud security concerns and challenges are, and how your company is dealing with them. Weigh in with our exclusive, anonymous Threatpost Poll!

Indeed, resellers were the target of a campaign by Nobelium that Microsoft revealed in October, in which the group was seen using credential-stuffing and phishing, as well as API abuse and token theft, to gather legitimate account credentials and privileged access to reseller networks. The ultimate goal of this campaign seemed to be to reach downstream customer networks, researchers said at the time.

Nobelium also engaged in credential theft in April using a backdoor called FoggyWeb to attack ActiveDirectory servers, Microsoft revealed in September.

In the latest clusters observed by Mandiant, stolen credentials also facilitated initial access to the targeted organizations. However, researchers believe the threat actors acquired the credentials from an info-stealer malware campaign of a third party rather than one of their own, they said.

Novel Malware and Activity

Attackers have added a number of novel tactics, techniques and procedures (TTPs) to bypass security restrictions within environments, including the extraction of virtual machines to determine internal routing configurations, researchers wrote.

They also have new malware in their arsenal: a new, bespoke downloader that researchers have called Ceeloader. The malware, which is heavily obfuscated, is written in C and can execute shellcode payloads directly in memory, they wrote.

A Cobalt Strike beacon installs and executes Ceeloader, which itself does not have persistence and so can’t run automatically when Windows is started. The malware can evade security protections, however, by mixing calls to the Windows API with large blocks of useless code, researchers said.

Other activity observed in the attacks includes using accounts with application impersonation privileges to harvest sensitive mail data, using residential IP proxy services and newly provisioned geo-located infrastructure to communicate with compromised victims, and abuse of multi-factor authentication (MFA) to leverage “push” notifications on smartphones, researchers said.

As with other Nobelium campaigns, the motive for the clusters appears to be cyberespionage, as the attacks show the actors targeting companies to steal data “relevant to Russian interests,” according to Mandiant.

“In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments,” researchers wrote.

Potential for Downstream Compromise

The so-called SolarWinds “Solorigate” attack that was discovered last December is now the stuff of legend. It became a cautionary tale for how quickly and how far a cyberattack can spread through a global supply chain.

In those attacks, which affected numerous organizations – including Microsoft and the Department of Homeland Security – Nobelium used a malicious binary called “Sunburst” as a backdoor into SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of the Orion software framework. The component is a plugin that communicates via HTTP to third-party servers, allowing the attack to proliferate quickly.

There is similar potential for widespread attack in the new clusters observed by Mandiant, researchers said. They observed “multiple instances where the threat actor compromised service providers and used the privileged access and credentials belonging to these providers to compromise downstream customers,” they said.

Attackers also used credentials they appear to have obtained from the third-party info-stealer campaign to gain access to an organization’s Microsoft 365 environment via a stolen session token. Researchers identified the info-stealer CRYPTBOT on some of the affected systems shortly before the token was generated, researchers said.

“Mandiant assesses with moderate confidence that the threat actor obtained the session token from the operators of the info-stealer malware,” researchers wrote. “These tokens were used by the actor via public VPN providers to authenticate to the target’s Microsoft 365 environment.”

MFA Push Abuse

One novel and rather creative technique researchers observed Nobelium using in the attacks is the abuse of repeated MFA push notifications to gain access to corporate accounts, researchers wrote.

Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor to authenticate access to an account.

Using a valid username and password combination, the researchers said that the attackers issued multiple MFA requests to an end user’s legitimate device until the target accepted the authentication. This ultimately granted the threat actor access to the account, they said.

All in all, the new clusters show that Nobelium’s potential for dangerous threat activity seems to be rising in both sophistication and intensity, signaling the potential for another SolarWinds-style attack on the horizon, observed one security professional.

“Cyberwarfare is now simply a part of modern geopolitical life, so we cannot expect these attacks to ease up any time soon, especially from state-sponsored actors,” noted Erich Kron, security awareness advocate at security firm KnowBe4, in an email to Threatpost. “These attacks will continue to escalate as techniques improve and more resources are allocated to cyberwarfare.”

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles

Discussion

  • Paul on

    Elizabeth, is it possible to get the editors to stop calling UNC2452, Nobelium "SolarWinds Hackers". It is misleading because I always read "SolarWinds Hackers" and in my mind I see people in Austin, Texas actively hacking into others systems. SolarWinds was a victim of a Russian Government attack.
  • br0kzenz on

    Agree with that. Honestly, stop giving attackers names. Giving them names validates their cause.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.