SolarWinds—Attackers at It Again in Back-to-Back Campaigns

Nobelium, the APT group behind the infamous attack on SolarWinds, has resurfaced in two recent campaigns against US-based IT companies and government organizations. Check out Securin’s analysis of 18 vulnerabilities used by the group to exploit and infiltrate their targets. 

In the last week of June 2021, the attackers behind the infamous SolarWinds supply chain incident were back again, targeting Microsoft’s corporate network. The group is said to have stolen credentials from one of its customer service agents and used the information to launch attacks against other Microsoft clients, compromising at least three customer accounts.

Earlier, in May 2021, the same group was identified impersonating a US government agency. The cyberattack piggybacked on a marketing email account of the US Agency for International Development (USAID) and managed to reach 3,000 email accounts across 150 different organizations. However, the White House claims that the intruding attempts were curbed, by and large, and the “noisy” campaign did not cause much damage.

Dubbed the Nobelium campaign, the attacks have been attributed to the Russian state-sponsored threat group Nobelium, which has been operational since 2008. The group is also known as APT29, Cozy Bear, The Dukes, and UNC2452 and has 11 other aliases.

More recently, in early July, the APT29 group was deemed responsible for an attack on the American Grand Old Party or the Republican Party.

Vulnerabilities in APT 29’s Radar

Securin’s dynamic threat database has mapped 18 CVEs to APT29, popularly called the Nobelium group. Here is our analysis of these vulnerabilities:

Exploits and Trends

• Fourteen CVEs are capable of remote code execution, while eight CVEs have associated WebApp exploits, with a few having both capabilities.

• Twelve of the associated vulnerabilities are recently trending CVEs, according to Google Trends.

• The oldest vulnerability exploited by Nobelium is from 2009, and three CVEs were newly discovered this year.

Severity and Weaknesses

• A severity analysis of the CVEs brings out 11 vulnerabilities that have been deemed critical by CVSS V3 scoring and three high-ranked ones.

• Three CVEs have CVSS V3 scores lesser than eight, illustrating that low-scoring vulnerabilities are also ripe targets for exploitation.

• Twelve weaknesses power these vulnerabilities, seven of which feature in MITRE’s Top 25 CWEs of 2020.

Products and Vendors

• There are five vulnerabilities, including CVE-2020-0674 and CVE-2021-26855, across 35 different products from Microsoft that have been recently trending.

• Other than Microsoft, the vulnerabilities are present across products of vendors, including Pulse Secure, Citrix, Fortinet, Cisco, Mozilla, Elastic, Redhat, Sycamore, Oracle, VMware, Apple, and F5.

• Fourteen F5  products that provide multi-cloud security and application services are vulnerable to CVE-2020-5902, which can be exploited remotely.

Patches and Weaponization

• All vulnerabilities have patches available. Considering the fact that these vulnerabilities led to the biggest cyberattack of recent times, organizations should prioritize them for patching immediately.

• Interestingly, Securin called out CVE-2021-26855 in the Ransomware Spotlight report Q1 update for how rapidly it was weaponized and started trending in the wild.

Securin warned about seven (7) vulnerabilities in APT29’s collection in our Ransomware Reports published in February and May 2021.

APT29 has been identified as deploying the Maze ransomware while targeting victims.

APT29—Attack Methodology

The initial vector in the government agencies’ attack was a phishing campaign. The hackers masqueraded as the government body and sent emails to different accounts across international development, humanitarian, and human rights organizations. The attempt was majorly thwarted as automated systems detected unusual email activity and blocked them. However, the emails that did manage to get through contained beacon malware, which—when clicked—allowed for a system compromise.

The figure below shows a sample phishing email.

Image Source: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

In the case of the Microsoft attack, the group used password spraying and brute-force attacks to extract passwords that could help gain entry into customer accounts.

MITRE ATT&CK and Mapping

We have listed the tactics adopted by the APT29 group in the Nobelium campaign.

Targeted Sectors and Countries

An analysis of the Nobelium campaign shows multiple sectors being targeted: Pharmaceuticals and Biotechnology, Aerospace and Defense, Media and Entertainment, Telecommunications, Energy and Natural Resources, Law, Information Technology, Consulting, Healthcare, Healthcare Providers, Finance, Education, and Research.

The campaign was carried out across Belgium, Israel, Italy, the United States, Turkey, India, Luxembourg, the United Kingdom, Canada, Chile, France, Mexico, Germany, Thailand, Switzerland, Denmark, the United Arab Emirates, Bulgaria, Spain, Ireland, and Singapore.

Exposure

The following are the results of the Nobelium vulnerabilities that have a direct CVE exposure, according to Shodan. Cumulatively, these amount to over 20,000 exposed instances where attackers have a clear advantage.

CVE-2020-5902 (F5 vulnerability)	CVE-2019-19781 (Citrix vulnerability)
CVE-2019-1653 (Cisco vulnerability)	CVE-2019-11510 (Pulse Secure)
CVE-2021-26855 (Exchange server RCE)

Given the history of APT29, CISA published a warning by Microsoft on May 27, 2021, describing the campaign as sophisticated, one that evolved over the course of five months.

Increasing Attacks Demand a Change in the Cybersecurity Strategy

While the recent Nobelium campaigns seem to have been subdued compared to the SolarWinds impact, we can see increasing attacks on organizations in the US by Russia-backed actors and associated ransomware groups. Beginning with the impactful Colonial Pipeline attack, followed by the Ireland Health Service Executive (HSE) attack, the JBS attack, the Nobelium campaign, the SolOriens attack, and the recent Microsoft campaign, Russian APT groups are directly or indirectly linked to this flurry of high-profile cyberattacks. Propelled by these findings, cybersecurity was discussed as a priority in the recently concluded summit between Russian President Vladimir Putin and US President Joe Biden.

Today’s cybercrime activities are moving toward high-impact attacks, posing a high risk to all organizations alike, including federal entities. Organizations need to shift from a defensive mindset to an offensive approach to stay ahead of threat actors. This calls for a rigorous analysis of an organization’s risk exposure, backed by a well-informed database that enables the organization to evaluate looming threats and deal with the ones that matter the most.

We urge all organizations to patch the vulnerabilities on priority in order to avoid another supply chain attack.

Read on to learn more about our analysis of the group and patch the associated vulnerabilities before it is too late.

{Update September 03, 2021}: Autodesk, a US-based software company known for its 3D computer-aided design and modeling tools software AutoCAD, has revealed that one of its servers was backdoored with the Sunburst malware during the SolarWinds supply chain attack in December 2020. Clearly, attacks are becoming more sophisticated, with organizations realizing the breach only months later and its impact being felt a long time after the attack.

{Update September 30, 2021}: After being associated with the WellMess malware in July 2021, the Nobelium group has now been identified as deploying two new backdoors, Tomiris and FoggyWeb. These have been recently trending, giving us enough reasons to believe that the threat group is slowly developing its techniques and tactics.

{Updated November 02, 2021}: On October 24, 2021, researchers noticed new tactics and techniques being used by the Nobelium group. The Nobelium group is trying to replicate an older approach that targets companies integral to the global IT supply chain. The intention is to attack resellers and other service providers who customize, manage, and deploy cloud services on behalf of the customer. The attack campaigns targeting resellers and service providers observed thus far have not exploited any software vulnerability but are using well-known techniques, such as password phishing and spraying, to steal legitimate credentials in the hope of gaining privileged access.

{Updated on February 08, 2022}: The threat actor behind the SolarWinds supply chain attack, Nobelium, has been continually expanding its malware arsenal, with the newest additions being two sophisticated malware families—GoldMax, a Linux variant and TrailBlazer, a new implant—that were recently discovered on a victim network.

Securin can help organizations improve their security posture!