Solarwind Attackers at It Again in Back-to-Back Campaigns
Posted on 19th Jul, 2021 | By Priya Ravindran
Nobelium, the APT group behind the infamous SolarWinds attack, has resurfaced in two recent campaigns against US-based IT companies and government organizations. Check out CSW’s analysis about 18 vulnerabilities used by the group to exploit and infiltrate their targets.
In the last week of June 2021, the attackers behind the infamous SolarWinds supply chain incident were back again - this time targeting Microsoft's corporate network. The group is said to have stolen credentials from one of its customer service agents and used the information to launch attacks against other Microsoft clients, compromising at least three customer accounts.
Earlier, in May 2021, the same group was identified impersonating a US government agency. The cyberattack piggybacked on a marketing email account of the US Agency for International Development (USAID), and managed to reach 3000 email accounts across 150 different organizations. However, the White House claims that the intruding attempts were curbed, by and large, and the ‘noisy’ campaign did not cause much damage.
Dubbed the Nobelium campaign, the attacks have been attributed to the Russian state-sponsored threat group Nobelium, which has been operational since 2008. The group is also known as APT29, Cozy Bear, The Dukes, UNC2452 and has 11 other aliases.
More recently, in early July, the APT29 group was deemed responsible for an attack on the American Grand Old Party or the Republic National Committee.
Vulnerabilities in APT 29’s radar
CSW’s dynamic threat database has mapped 18 CVEs to APT29, popularly called the Nobelium group. Here is our analysis of these vulnerabilities -
Exploits and trends:
14 CVEs are remote code execution capable, while eight CVEs have associated Web App exploits, with some having both capabilities.
12 of the associated vulnerabilities are recently trending CVEs according to Google trends.
The oldest vulnerability exploited by Nobelium is from 2009 and three CVEs were newly discovered this year.
Severity and weaknesses:
A severity analysis of the CVEs brings out 11 vulnerabilities that have been deemed critical by CVSS v3 scoring, and three high ranked ones.
Three CVEs have CVSS v3 scores lesser than 8, illustrating that low scoring vulnerabilities are also ripe targets for exploitation.
12 weaknesses power these vulnerabilities, seven of which feature in MITRE’s Top 25 CWE of 2020.
Products and Vendors:
There are five vulnerabilities across 35 different products from Microsoft, including CVE-2020-0674 and CVE-2021-26855 that have been recently trending.
Other than Microsoft, the vulnerabilities are present across products of vendors including Pulse Secure, Citrix, Fortinet, Cisco, Mozilla, Elastic, Redhat, Sycamore, Oracle, VMware, Apple and F5.
14 F5 products that provide multi-cloud security and application services are vulnerable to CVE-2020-5902, which can be exploited remotely.
Patches and weaponization:
All vulnerabilities have patches available and considering the fact that these vulnerabilities led to the biggest cyber attack of recent times, organizations should prioritize them for patching immediately.
Interestingly, CSW called out CVE-2021-26855 in the Ransomware Spotlight report Q1 update for how rapidly it was weaponized and started trending in the wild.
CSW warned about seven (7) of the vulnerabilities in APT29’s collection, in our Ransomware Reports published in February and May 2021.
|CVEs called out by CSW|
APT29 has been identified as deploying the Maze ransomware while targeting victims.
APT29 Attack Methodology
The initial vector in the government agencies’ attack was a phishing campaign. The hackers masqueraded as the government body and sent out emails to different accounts across international development, humanitarian and human rights organizations. The attempt was majorly thwarted as automated systems detected unusual email activity and blocked them. However, the emails that did manage to get through contained beacon malware, which, when clicked, allowed for a system compromise.
The figure below shows a sample phishing email
In the case of the Microsoft attack, the group used password spraying and brute-force attacks for extracting passwords that could help gain entry into customer accounts.
MITRE ATT&CK and Mapping
Below, we list the tactics adopted by the APT29 group in the Nobelium campaign.
IOCs (SHA 256)
Sectors and Countries Targeted
An analysis of the Nobelium campaign shows multiple sectors being targeted - Pharmaceuticals And Biotechnology, Aerospace And Defense, Media And Entertainment, Telecommunications, Energy And Natural Resources, Law, Information Technology, Consulting, Healthcare, Healthcare Providers, Finance, Education, Research.
The campaign was carried out across Belgium, Israel, Italy, United States, Turkey, India, Luxembourg, United Kingdom, Canada, Chile, France, Mexico, Germany, Thailand, Switzerland, Denmark, United Arab Emirates, Bulgaria, Spain, Ireland and Singapore.
The following are the results of those Nobelium vulnerabilities that have a direct CVE exposure, according to Shodan. Cumulatively, these amount to over 20,000 exposed instances where attackers have a clear advantage.
|CVE-2020-5902 (F5 vulnerability)||CVE-2019-19781 (Citrix vulnerability)|
|CVE-2019-1653 (Cisco vulnerability)||CVE-2019-11510 (Pulse Secure)|
|CVE-2021-26855 (Exchange server RCE)|
Increasing attacks demanding a change in cyber security strategy
While the recent Nobelium campaigns seem to have been subdued compared to the Solarwinds impact, we can see increasing attacks on organizations in the US by Russia-backed actors and associated ransomware groups. Beginning with the impactful Colonial Pipeline attack, followed by the Ireland Health Service Executive (HSE) attack, the JBS attack, the Nobelium campaign, the SolOriens attack, and the recent Microsoft campaign - Russian APT groups are directly or indirectly linked to this flurry of high-profile cyber attacks. Propelled by these findings, cybersecurity was discussed as a priority area in the recently concluded summit between Russian President Vladimir Putin and US President Joe Biden.
Today’s cybercrime activities are moving towards high-impact attacks, posing a high risk to all organizations alike, including federal entities. Organizations need to shift from a defensive mindset to an offensive approach to stay ahead of threat actors. This calls for a rigorous analysis of an organization’s risk exposure, backed by a well-informed database that enables the organization to evaluate looming threats and deal with the ones that matter the most.