It appears that the Solar Winds attackers are not done with us yet. A report from Data Breach Today on May 28 confirms that Microsoft has discovered yet another attack from the same group.
What is Happening?
Microsoft discovered that the Solar Winds attackers are busy waging a phishing campaign. Their most recent victim is a marketing campaign that the U.S. Agency for International Development - USAID uses. The result of this attack is thousands of malicious emails sent out.
Microsoft has identified “Nobelium” as the group behind the attack and the same group that carried out the Solar Winds supply chain attack a few months ago. The Solar Winds attack affected 18,000 users and threat experts are still trying to clean up and recover the mess left behind. Security experts believe the attack comes from a Russian-backed hacker group known as Nobelium.
How Does the Latest Attack Work?
Attackers took control of the Constant Contact account owned by USAID and sent out thousands of emails with a tainted link that, when clicked, infects the user’s device with a backdoor called “NativeZone.”
As of Tuesday, the campaign was still active. Microsoft has not said how many victims were affected by these malicious emails. They did note in their report that about 3,000 victims were targeted from 150 companies. Most of the attacks occurred within the U.S. but also affected 20 other countries. The types of companies that received these emails were in the international development, humanitarian and human rights work sectors.
The Response to the Attack
A joint effort between the FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating the matter further. They did reassure the public that most of the emails would have been disabled by security software such as antivirus/anti-malware programs before they reached the victims.
According to Data Breach Today ‘A spokesperson for Constant Contact says:
“We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts. This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”’
Corporate vice president for customer security and trust at Microsoft, Tom Burt, said,
“When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,” in response to the attack. “By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.”
Relations between the U.S. and Russia have been tense, especially recently since President Biden issued sanctions against Russia for their involvement in cybercrimes against the U.S. Biden is scheduled to meet Russian President Vladimir Putin on June 16 at a convention in Geneva, Switzerland.
Cybersecurity Taken Seriously
Previously phishing campaigns were not considered all that dangerous. However, recent large-scale attacks that potentially originated from a single email have become a wake-up call to government agencies and cybersecurity experts. The weakest link can result in devastation to an organization and even a nation.
The Solar Winds attack had far-reaching consequences, and those affected have learned a good lesson. Phishing campaigns are just the beginning and can lead to further destruction if underestimated.
Many of these emails contain malicious links or downloadable files. Some use DLL (Dynamic Link Library) files to hide tainted code. If users open the files or click the links, their device and entire network can be compromised within minutes.
Hacker tactics evolve, and thus, the end-user must know what to look for and how to respond. The number one way to avoid these types of issues is never to click a link in email or download attachments without verifying where they came from first.