Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
05.28.21

Threat Report

Significant Cyber Event | Intelligence Report – Nobelium

By Stephan Schenk, 

Summary

Deepwatch is currently tracking and responding to Microsoft’s report regarding the Nobelium threat actor group. Nobelium is the threat actor behind the Solarwinds campaign, including Sunburst and Teardrop. Currently and traditionally, Nobellium has targeted government agencies, think tanks, consultants, and non-governmental organizations. During the current campaign, Microsoft has identified more than 150 organizations in 24 countries that have been targeted.

As in prior campaigns, the threat actors were able to compromise a legitimate service; this time it was USAID’s Constant Contact account. Constant Contact is a mass email marketing solution. Once they had control of the account, they were able to conduct targeted spear phishing campaigns that contained a malicious payload which would create a backdoor on the victim’s machine. The attackers could then pivot to data theft or further entrench themselves in the victim’s network.

As mentioned above, information is limited on the full scope of the attacks and as more information is made available, Deepwatch will review and provide you with an update. For the complete technical analysis, Deepwatch refers you to Microsoft’s report.

What can you do?

Deepwatch recommends that you immediately update your defense-in-depth technologies and signatures to provide you with the most up-to-date protections. We also highly encourage enabling Two-Factor Authentication (2FA) at a minimum, and Multi-Factor Authentication (MFA) preferably where appropriate. 

In addition to this, Deepwatch recommends the following:

    1. Update your anti-virus and Endpoint Detection & Response (EDR) to the latest signatures.
    2. Log PowerShell activity from all Microsoft devices.
    3. Quarantine or block all compression extensions and the compromised email addresses on your Security Email Gateway.
    4. Review critical access groups to ensure only the appropriate personnel have access to critical systems and applications.
    5. Enable data loss prevention mechanisms to monitor and block unauthorized file transfers.
    6. Log web facing applications.
    7. Review your logging standards to ensure Deepwatch is receiving all of your critical logs (e.g. Security Email Gateway, Web Application Firewalls, PowerShell, CLI, etc.).

What is Deepwatch doing?

  • Managed Detection & Response team is conducting a review for all customers who are currently sending network and email gateway logs to Splunk.
    • Deepwatch is performing a year-to-date analysis of associated Indicators of Compromise (IOCs) across the customer base to identify potential targets.
    • Detection Engineering is updating the emerging threat rules to include relevant IOCs. 
  • Deepwatch’s Managed EDR and Firewall teams are evaluating IOCs to ensure that they are loaded into the security platform of choice.

IOCs

IP Addresses

  • 192.99.221[.]77
  • 83.171.237[.]173

Domains

  • worldhomeoutlet[.]com
  • theyardservice[.]com
  • usaid.theyardservice[.]com
  • dataplane.theyardservice[.]com
  • cdn.theyardservice[.]com
  • static.theyardservice[.]com
  • worldhomeoutlet[.]com

Email Addresses

  • [email protected][.]gov
  • [email protected][.]gov

Hashes 

  • 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252
  • d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142
  • 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916
  • 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0
  • ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c
  • ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330

Sources

  1. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
  2. https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

CVE-2021-21985 – Vulnerability Found in VMware vCenter Servers and Cloud Foundation

Next post

CVE-2021-3044 Vulnerability: Cortex XSOAR

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy