The latest attack by the Russia-based group known as Nobelium this week used a government agency’s account credentials for the cloud email marketing service Constant Contact in a phishing campaign that led to the breach of 3,000 email accounts across 150 organisations.
Nobelium is the same state-sponsored organisation behind the massive breach last year of the SolarWinds Orion network monitoring product. That nation-state attack sent shockwaves throughout the world with Nobelium gaining access to U.S. government agencies, critical infrastructure entities and private sector organisations.
This time, Nobelium gained access to the Constant Contact account of the United States Agency for International Development, or USAID. The government agency advances what it calls U.S. national security and economic prosperity as a means to demonstrate American generosity.
From USAID’s Constant Contact account, Nobelium was able to “distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” said Microsoft Corporate Vice President Customer Security & Trust Tom Burt. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
In an email to CRN, Constant Contact said it was aware that the “account credentials” of one of its customers was compromised and used by a malicious actor to access the customer’s Constant Contact accounts. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” said Constant Contact.
Dirk Arends, president of Virtual Systems, a Microsoft Silver partner and cloud solution provider based in Grand Rapids, Mich., said the attack shows how state-sponsored hackers are leveraging upstream vendors to government/customer data.
“I don’t believe these attacks will curb cloud migrations, but I see much better due diligence being done by businesses and government agencies as they select partners, and that’s a good thing,” said Arends. “The bar is being raised for service providers to adhere to the highest requirements for security and compliance, and that’s good for everyone.“
Leveraging Constant Contact USAID account to escalate attack
The latest Nobelium cyberattack “escalated significantly” on May 25 when the state-sponsored hackers used the “legitimate mass mailing service Constant Contact,” according to Microsoft’s Threat Intelligence Center (MSTIC).
The May 25 phishing campaign included several iterations of emails sent from the Constant Contact account of USAID. In one example, the emails appear to originate from USAID, said Microsoft, while not having an “authentic sender email address that matches the standard Constant Contact service.”
The emails posed as an “alert” from USAID dated May 25, 2021 with a subhead: “USAID Special Alert: Donald Trump Published New Documents On Election Fraud.” If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service and then redirects to a Nobelium “controlled infrastructure.” A “malicious ISO” file was then delivered to the system.
“The successful deployment of these payloads enables Nobelium to achieve persistent access to compromised systems,” said Microsoft. “Then, the successful execution of these malicious payloads could enable Nobelium to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.”
Nobelium spear phishing operations on the rise
Microsoft security researchers warned that Nobelium’s spear phishing operations are “recurring and have increased in frequency and scope.”
What’s more, Microsoft, said it is “anticipated that additional activity may be carried out by” Nobelium using an “evolving” set of tactics.
“Microsoft continues to monitor evolving this threat actor’s activities and will update as necessary. Microsoft 365 Defender delivers coordinated defense against this threat. Microsoft Defender for Office 365 detects the malicious emails, and Microsoft Defender for Endpoints detects the malware and malicious behaviors,” said the company. “Additionally, customers should follow defensive guidance and leverage advanced hunting to help mitigate variants of actor activity.”
Among the mitigations recommended by Microsoft are enabling “multifactor authentication (MFA) to mitigate compromised credentials.” In fact, Microsoft “strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to secure accounts.”
In addition, Microsoft recommends turning on on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent” so that antivirus products can cover “rapidly evolving attacks.”
Microsoft also recommends using Microsoft Endpoint detection and response in block mode so that “Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode.
Also recommended: enabling network protection to “prevent applications or users from accessing malicious domains and other malicious content on the internet” and using device discovery to increase “visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint”
Microsoft also advises users to enable “investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts” to resolve breaches.
Can email be trusted in new threat landscape?
The use of the Constant Contact email marketing service raises the question yet again of how do businesses protect themselves in an era where email is used to gain access to a government agency or organisation’s crown jewels, solution providers said.
The account credentials attack raises yet again the specter of whether emails can be trusted without being verified, said Michael Luehr, a Microsoft 365 practice manager for Dynamic Consulting LLC, a Microsoft Gold partner that specializes in Dynamics 365 backed up by a full portfolio of Microsoft cloud and security services.
“It used to be that if you got an email you knew who it came from and there was no questions about it,” he said. “It is really getting to the point now where unfortunately email isn’t a trusted platform to go off of. I have had several conversations with our clients about just that topic. Really what it comes down to is letting your users know that email inherently can no longer be trusted at face value.”
The maddening thing about the latest attack, said Luehr, is that it was from a “legitimate email service (Constant Contact), using legitimate accounts, to legitimate end users but the payload was malicious,” said Luehr.
Luehr compared the attack to the Mission Impossible movie and TV show franchise in which the agency would use “masks and voice changers” to impersonate or effectively steal the identity of another person.
“That is what is going on here, but it is easier to do it over email since there was no physical interaction,” said Luehr. “There was a famous wrestler who used to say ‘don’t trust anybody.’ That is what is going on with email: don’t trust email.”
More use of email alternatives
The rise of phishing campaigns and email cyberattacks has more solution providers looking at email alternatives.
Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech Enterprise said the rise of email attacks has prompted Future Tech to use in some cases an encrypted mobile communications alternative to email called Silent Circle. That service provides unlimited encrypted voice, video, messaging, sharing and conference calling. The Silent Circle encryption allows a text to be automatically deleted once it is read.
“I have moved 30 percent of my communications with executive leaders to Silent Circle,” he said. “The threat vector on email is huge. It is where all of the attacks start. The bad actors get in through email, someone clicks on it and now they are into your IT environment. I can’t control what Office 365 does or what other platforms do so I have to do something Internally to minimize my risk especially when it comes to high-level executive communications.”
The phishing attack is just another sign of the threat vector from cloud services, according to Venero. “We have always preached about the challenges of cloud services and the risks they pose to corporations and individuals,” he said. “That is not going to change. It is only going to get worse and worse.”
Dynamic Consulting’s Luehr said he expects to see a rise in more businesses resorting to videoconferencing and phone calls to verify a person’s identity. “I think phone calls are going to have a resurgence,” he said. “If email can’t be trusted: what can be trusted? Video calls and audio conversations.”
A call to action for MSPs: Protect account credentials
The new SolarWinds attack that used compromised Constant Contact account credentials is yet another warning that MSPs and technology providers need to do a better job of protecting account credentials.
Microsoft said as much with a warning that the latest breach from the state-sponsored hackers is part of a “playbook to gain access to trusted technology providers and infect their customers.”
The dramatic increase in bad actors using stolen account credentials to gain access to MSPs and their customers has been an issue that solution providers have grappled with for the last several years.
“This issue of stealing account credentials from MSPs was important as far back as three years,” said Dynamic Consulting’s Luehr. “Let now be the wake up call! Let’s not wait any further, There has already been countless attacks of MSPs and account compromises. This was important three years ago, two years ago and today. Let’s recognize it now and let’s get it fixed now!”
Dynamics Consulting, for its part, recommends that customers use Microsoft Azure Active Directory, multifactor authentication, password management and constant verification. “The internet isn’t a trusted place which means email isn’t a trusted place anymore,” he said. “The lesson here is if even it looks good, looks enticing, and looks spicy don’t click on it!”