3 steps partners should take to mitigate against renewed Nobelium threat

Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain.
Tom Burt (Microsoft)

Tom Burt (Microsoft)

Microsoft has warned channel partners about fresh supply chain attack activity by the Russian nation-state actor known as Nobelium, laying out a number of steps IT providers can take to mitigate the threat.

Nobelium – the name Microsoft has attributed to the group – is the same threat actor behind the cyber attacks that targeted SolarWinds customers in 2020 and which, according to Microsoft, the US government and others have identified as being part of Russia’s foreign intelligence service.

Nobelium, also known in the security industry as APT29 or Cozy Bear, has been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain, according to Microsoft.

Microsoft customer security and trust corporate vice president Tom Burt claims that, this time, the threat group is attacking a different part of the supply chain, specifically focusing on resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers,” Burt said in a blog post.  

“We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community. Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium.  

“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised. Fortunately, we have discovered this campaign during its early stages and we are sharing these developments to help cloud service resellers, technology providers and their customers take timely steps to help ensure Nobelium is not more successful,” he added.

It seems that the attacks Microsoft has observed in the recent campaign against resellers and service providers have not attempted to exploit any particular flaw or vulnerability in software, but rather have used well-known techniques like password spray and phishing to steal legitimate credentials and gain privileged access.  

“We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach,” Burt said.  

Indeed, the Microsoft Partner Network team has produced guidance to help partners protect themselves and their customers from potential attack by the group, noting that the attacks highlight the need for administrators to adopt strict account security practices and take additional measures to secure their environments.

The vendor suggests that cloud service providers (CSP), managed service providers (MSP) and other IT services organisations that rely on delegated administrative privileges should review the guidance and implement the recommended mitigations immediately.

Here are the three steps Microsoft recommends that partners take:

1. Verify and monitor compliance with Microsoft Partner Centre security requirements

All Microsoft partners should review and verify overall compliance status with the partner security requirements through the Microsoft Partner Centre.  

Microsoft recommends that partners ensure multifactor authentication (MFA) is in use and conditional access policies are enforced; all Microsoft partners are required to use MFA to access Partner Centre and for cross-tenant access to customer tenants in Microsoft commercial clouds.  

Partners are also advised to check their security compliance in Partner Centre and monitor if any user logins or API calls are not compliant with MFA enforcement. Additionally, partners should make sure they are compliant at all times.

Moreover, Microsoft recommends partners adopt the Secure Application Model Framework – all partners integrating with Partner Centre APIs must adopt the Secure Application Model framework for any app and user auth model applications.

Read more on the next page...

Page Break

Partners should also check Partner Centre Activity Logs. Indeed, partners are advised to regularly check the 'Activity Log' in Partner Centre to monitor any user activities, including high privileged user creations, high privileged user role assignment, etc.  

Partners can also use Partner Centre Activity Log APIs to create a custom security dashboard on key user activities in Partner Centre to proactively detect suspicious activities, Microsoft noted.

2. Remove delegated administrative privileges (DAP) connection when not in use

To improve security, Microsoft has recommended that partners remove delegated administrative privileges that are no longer in use.  

Starting in November, a new reporting tool will be available that identifies and displays all active delegated administrative privilege connections and will help organisations to discover unused delegated administrative privileges connections, the company said.

This tool will provide reporting that captures how partner agents are accessing customer tenants through those privileges and will allow partners to remove the connection when not in use.  

3. Conduct a thorough investigation and comprehensive response

Microsoft recommended that partners carry out additional investigations if they think they might have been affected to determine the full scope of compromised users or assets.  

On this front, Microsoft recommends partners review the Azure AD Security Operations Guide to audit or establish their security operations.   

“If you are a cloud service provider or an organisation that relies on elevated privileges, you need to assess the security implications in your network and its connectivity for your customers,” the Microsoft Partner Network team said in its guidance. “In particular, review authentications that are associated with Azure AD configuration changes using the Microsoft 365 compliance center (formerly in the Exchange admin centre) or Azure AD admin logs.”

Additionally, adequate log retention procedures for cloud-based resources are critical to effectively identify, respond to and remediate malicious activity.  

“Cloud service providers and other technology organisations often configure individual subscriptions to meet specific customer requirements,” the team said. “These configurations might not include security controls that enable full accountability to administrative actions should an incident occur.  

“We encourage all organisations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies,” it added.  

Microsoft also included some tips for downstream customers as part of its guidance. These were: review, audit and minimise access privileges and delegated permissions; verify MFA is enabled and enforce conditional access policies; and review and audit logs and configurations.

“We encourage all organisations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies,” the Microsoft Partner Network team said.

“For organisations relying on a third-party organisation, work with them to understand their logging strategy for all administrative actions and establish a process should logs need to be made available during an incident," it added.