Significant Cyber Event (SCE) Intelligence Report - Nobelium

By

Summary

deepwatch is currently tracking and responding to Microsoft’s report regarding the Nobelium threat actor group. Nobelium is the threat actor behind the Solarwinds campaign, including Sunburst and Teardrop. Currently and traditionally, Nobellium has targeted government agencies, think tanks, consultants, and non-governmental organizations. During the current campaign, Microsoft has identified more than 150 organizations in 24 countries that have been targeted.

As in prior campaigns, the threat actors were able to compromise a legitimate service; this time it was USAID’s Constant Contact account. Constant Contact is a mass email marketing solution. Once they had control of the account, they were able to conduct targeted spear phishing campaigns that contained a malicious payload which would create a backdoor on the victim’s machine. The attackers could then pivot to data theft or further entrench themselves in the victim’s network.

As mentioned above, information is limited on the full scope of the attacks and as more information is made available, deepwatch will review and provide you with an update. For the complete technical analysis, deepwatch refers you to Microsoft’s report.

What can you do?

deepwatch recommends that you immediately update your defense-in-depth technologies and signatures to provide you with the most up-to-date protections. We also highly encourage enabling Two-Factor Authentication (2FA) at a minimum, and Multi-Factor Authentication (MFA) preferably where appropriate. 

In addition to this, deepwatch recommends the following:

    1. Update your anti-virus and Endpoint Detection & Response (EDR) to the latest signatures.
    2. Log PowerShell activity from all Microsoft devices.
    3. Quarantine or block all compression extensions and the compromised email addresses on your Security Email Gateway.
    4. Review critical access groups to ensure only the appropriate personnel have access to critical systems and applications.
    5. Enable data loss prevention mechanisms to monitor and block unauthorized file transfers.
    6. Log web facing applications.
    7. Review your logging standards to ensure deepwatch is receiving all of your critical logs (e.g. Security Email Gateway, Web Application Firewalls, PowerShell, CLI, etc.).

What is deepwatch doing?

  • Managed Detection & Response team is conducting a review for all customers who are currently sending network and email gateway logs to Splunk.
    • deepwatch is performing a year-to-date analysis of associated Indicators of Compromise (IOCs) across the customer base to identify potential targets.
    • Detection Engineering is updating the emerging threat rules to include relevant IOCs. 
  • deepwatch’s Managed EDR and Firewall teams are evaluating IOCs to ensure that they are loaded into the security platform of choice.

IOCs

IP Addresses

  • 192.99.221[.]77
  • 83.171.237[.]173

Domains

  • worldhomeoutlet[.]com
  • theyardservice[.]com
  • usaid.theyardservice[.]com
  • dataplane.theyardservice[.]com
  • cdn.theyardservice[.]com
  • static.theyardservice[.]com
  • worldhomeoutlet[.]com

Email Addresses

Hashes 

  • 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252
  • d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142
  • 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916
  • 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0
  • ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c
  • ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330

Sources

  1. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
  2. https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/

 

Subscribe to the deepwatch Insider Blog