Microsoft is warning that Nobelium, the cyber-group behind the SolarWinds attack, has targeted at least 140 resellers and technology service providers in global IT supply chains.
With this evident threat, Microsoft said that the Advanced Persistent Threat (APT) group of Russian origin has now pivoted to software and cloud service resellers to “piggyback on any direct access that resellers may have to their customers’ IT systems.”
Weighing up the associated risks that this threat poses to business occupying the technology reselling space is Troy Gill, Senior Manager of Threat Intelligence at Zix | AppRiver.
Gill explains to Digital Journal how the Nobelium threat is still the phantom menace for those operating in the logistics and selling spaces. According to Gill: “Supply chain attacks continue to make headlines in 2021 and it seems that Nobelium continues to be a common thread. It all started when the Nobelium hacking group compromised the distribution systems for SolarWinds’ Orion IT network management platform followed by a spear-phishing email campaign Microsoft alerted to in May of this year.”
There has been a slight change in tactics, that Gill identifies: “Now, the threat actor is relying on spray-and-pray credential stuffing and phishing to steal legitimate credentials and gain privileged access by attacking resellers and technology service providers that customize, deploy and manage cloud services.”
The associated risks have reached the heart of the U.S., going all the way to the top, says Gill. He explains: “Earlier this year, the Biden administration reacted to supply chain attacks by releasing the “Executive Order on Improving the Nation’s Cybersecurity” that contains language with the purpose of securing the U.S. federal government’s software supply chain. The executive order leverages supply chain security as part of a broader effort to modernize the U.S. federal government’s cybersecurity and requires that federal agencies adopt zero-trust architecture and uphold this new security model by implementing security best practices such as encryption and MFA.”
Gill welcomes this although there remains more to be done: “This was a step in the right direction to protecting and defending organization from such attacks, but there are steps organizations must take themselves.”
Gill emphasises why firms should continue to remain guarded: “These attacks underscore how threat actors continue to misuse legitimate services to help their campaigns evade detection. Traditional email security solutions will not protect them against these sophisticated attacks.”
Based on this there are practical measures for a firm to take. Gill recommends; “In response, organizations need to upgrade their email security posture with a solution that’s capable of scanning incoming correspondence for campaign patterns, malware signatures, IP addresses, and other threat behaviors. This analysis should occur in real time so that legitimate correspondence can reach its intended destination without delay.”