SolarWinds Hackers Continue To Target Microsoft, With A Special Emphasis On Support Staff

SolarWinds Hackers Continue to Target Microsoft, With a Special Emphasis on Support Staff

Combating cybersecurity is a constant battle of wits and abilities that frequently leaves IT professionals feeling as if they are barely fending off the never-ending attacks of a giant whack-a-mole defensive game of chance.

Consider Microsoft and the infamous SolarWinds supply chain hack that made headlines last December. Its full ramifications are unknown, but the threat continues to fester in hundreds of compromised business and government networks.

SolarWinds is a large information technology company in the United States of America whose computer network was breached in a series of cyberattacks that spread to its clients and remained undetected for months. Microsoft disclosed recently that it, too, was undoubtedly a victim of the same Russian-based hacker gang responsible for the SolarWinds attack.

As more details about the cyberattack become public, the bleak revelations may well elicit a sniffled gasp, indicating that if Microsoft can be breached, what hope is left for the rest of us?

Microsoft admitted that an attacker believed to be associated with Nobelium phished one of its customer service agents in late May, stealing information and then attempting to hack customers. Microsoft stated that it discovered the compromise while responding to hacks carried out by a group responsible for previous high-profile breaches at SolarWinds and Microsoft.

Ironically, the nation-state hackers behind the SolarWinds supply chain attack compromised the computer of a Microsoft employee.

According to published reports, Microsoft president Brad Smith described SolarWinds as "the largest and most sophisticated attack the world has ever seen" in follow-up statements about the ongoing struggle with cybersecurity. Over a thousand hackers were involved in the attack campaign.

Former SolarWinds CEO Kevin Thompson suggested that the successful breach could have occurred as a result of an intern creating the password "'solarwinds123" and then sharing it on GitHub.

Naturally, this is how phishing attacks are intended to operate. Attackers disseminate their strategies in the hope of keeping them secret for as long as possible. SolarWinds is a typical example of a large-scale attack that employs multiple attack vectors.

"We are about to enter an era of low-intensity, high-impact cyberwarfare. While adversaries have developed sophisticated capabilities for launching and delivering cyber weapons across nation-states and industries over the last two decades, attackers can now leverage the new hyperconnected world to their advantage "According to Om Moolchandani, CISO of Accurics.

Urban Warfare Gone Digital

Cybercriminals are no longer required to develop highly sophisticated attack vectors. They can penetrate victims through pre-existing connectivity, he noted. He compared cyberattackers' new doctrine to physical warfare strategies in the modern era. The intensity is low, and the attacks are contained, but the consequences are enormous.

"Adversaries blend and conceal themselves among non-combatants in urban warfare, just as cyberattackers are now concealing their tactics through customer support staff," Moolchandani observed.

On June 25, Microsoft's Threat Intelligence Center reported that Nobelium engaged in new attack activity, including password spraying and brute-force attacks. However, Microsoft reports that these tactics have been largely ineffective.

If Nobelium's attack on Microsoft's infrastructure was "mostly unsuccessful," Neil Jones, cybersecurity evangelist at Egnyte, countered.

"This is a textbook illustration of the ongoing need to harden passwords, implement effective multi-factor authentication (MFA) techniques, and optimize password management techniques," he explained.

These requirements are critical for systems that interact with and collect data from clients, he added.

"The most recent attack serves as a stark reminder that, if you haven't already, you should make data governance a board-level priority," Jones added.

More Details Emerge

According to the Threat Center's June 25 report, the Threat Center discovered information-stealing malware on a machine belonging to one of Microsoft's customer support agents, which gave the agent access to basic account information for a small number of our customers.

"In some instances, the actor used this information to launch highly targeted attacks as part of a larger campaign. We acted promptly, removing the access and securing the device "the report stated.

Microsoft's support agents are configured with the fewest possible permissions as part of the company's zero-trust "least privileged access" approach to customer data, the statement explained.

According to Microsoft, this information reaffirms the critical nature of best practice security precautions such as zero-trust architecture and multi-factor authentication in preventing network intrusions.

"Given that the malicious actor was already conducting precision attacks on customers whose information had been compromised," Moolchandani continued, "attacking support agents were almost certainly part of a larger campaign."

Attacker Intentions

According to Moolchandani, the stolen information could reveal customer patterns for usage, logging, or subjects of the IT service provider's service, or other relevant data that could be used to spoof a victim's ID.

"Customer secrets are required in order for support agents to identify them. If this information is stolen, adversaries can use it to spoof victim email addresses and gain access to corporate accounts "he clarified.

Attackers' targeting of IT companies demonstrates their desire to gain access to their end targets via supply chain mechanisms. The majority of information technology companies provide backbone services to large businesses, governments, and industries.

"IT companies place a high premium on customer success and thus require sensitive data, privileges, and access in order to provide these services. They possess a wealth of juicy information that is alluring to adversaries, and any failure to follow cybersecurity best practices such as zero trust, hardening, or multi-factor authentication can result in the compromise of customer data "According to Moolchandani.

Support Agents Key Targets

Attackers are constantly on the lookout for low-cost ways to accomplish their objectives. According to Moolchandani, it is easier and more cost-effective for them to target support agents employed by smaller IT companies that provide support services to large enterprises than it is to target those large organizations directly.

"While support staff is typically granted limited access to systems to meet their needs, organizations are still working hard to spread cybersecurity awareness among their ranks, and that maturity has not yet reached the point where every employee is aware of the risks. This is the vulnerability that attackers are seeking to exploit "he clarified.

Recent revelations demonstrate that simply adding password protection controls is insufficient. Near real-time monitoring of the complex behavior of credentials and entitlements is equally critical and required for response teams, as preventative controls will always fail, as Ralph Pisani, president of Exabeam, warned.

"Despite the fact that Nobelium is well-known in the security community as a result of the SolarWinds attack and other previous successes, they continue to establish new footholds and do not appear to be abating anytime soon," he said.

Better Plans Needed

The adversaries were able to gather additional context about customers in this instance involving Microsoft by using the infected machine. This information enables adversaries to craft highly targeted phishing emails centered on their accounts and payments in order to gain additional access and credentials, Pisani noted.

"Microsoft observed both password spraying and brute-force attacks on accounts and customers as part of the intrusion set. We must accept the notion that identity is the new boundary. We are aware that this most recent incident was caused by a compromised employee "he continued.

Security teams have observed cyber adversaries repeatedly play the same game. Thus, Pisani urged, the defense should begin with detection, triage, investigation, and response.

"While there is a growing emphasis on addressing the two ends of detection and response, most businesses struggle with or overlook the middle pieces, oblivious to the smokescreen created for attackers," Pisani cautioned.

Security Operations Center teams, he urged, must take a more holistic, outcomes-based approach to security. Beyond passwords, safeguarding the identities of your employees, customers, and partners - and anyone else who uses your information technology systems - is critical.