Late last year, we learned that Russian state actors compromised SolarWinds Orion, a widely used network monitoring tool, and were able to access the systems of many SolarWinds customers – including many federal agencies.
That group, called Nobelium, didn't give up when their hack was discovered. Instead, they stepped up their activity. According to a report Microsoft released late last month, Nobelium has been targeting IT resellers and service providers since at least May.
"We have notified more than 140 resellers and technology service providers that have been targeted by Nobelium," said Tom Burt, Microsoft's corporate vice president for customer security and trust, in a blog post.
According to Burt, as many as 14 of those resellers had been compromised.
In addition, he said, since the start of July, Microsoft has informed 609 customers about nearly 23,000 other Nobelium attacks, "with a success rate in the low single digits."
"It seems as if Nobelium is trying to get access to as many technology providers as possible, and this was not seen before," said Maayan Fishelov, security researcher at SCADAfence. "Data centers that provide services to many customers should be aware that they may be a target of such attacks. For example, a big cloud storage company that hosts files for their clients – hundreds of companies – is a prime target for such an attack."
If the attack is successful, then the Nobelium group will have access to all the data on that data center's customers, he told Data Center Knowledge.
What's different in this new round of attacks is that, instead of installing malware in a key piece of software, as they did with SolarWinds, the attackers are impersonating trusted IT vendors, said Anthony James, vice president of product marketing at Infoblox, a cybersecurity company.
Implications for Data Centers
For data center security managers, this has two major implications, he told Data Center Knowledge.
First, any communication from an IT supplier should be considered suspect because that supplier might have been compromised.
"Any time I get an email requesting something – an invoice, information I should provide – I always go directly to the company asking for it, and not respond to the email," James said.
Second, when the data center is itself a service provider, it needs to be on high alert for phishing and similar attacks, he said.
Data center providers are particularly valuable targets because the attackers can then use compromised employee accounts to get to their customers, which can irreparably damage a data center's reputation.
According to Microsoft, Nobelium is now using password sprays, phishing, token theft and API abuse to steal legitimate credentials.
Microsoft has released guidance for its partners on how to protect their operations, which is useful for any IT services provider.
Top recommendations include using multi-factor authentication and monitoring user activities, especially those of privileged users. In addition, Microsoft recommends removing administrative privileges when not in use.
Companies should also be moving toward a zero-trust security model, said Infoblox's James.
"Someone shouldn't be trusted just because they have the credentials," he said.
The new wave of attacks underscores that the traditional castle-and-moat approach to security leaves organizations exposed, said Danny Lopez, CEO at Glasswall, a cybersecurity company.
He also recommends that data centers look to zero trust.
"Zero-trust security sees the world differently," Lopez told Data Center Knowledge. "No one is trusted by default, regardless of whether they are inside or outside a network. Without a zero-trust approach, organizations run the risk of attackers like Nobelium having a free rein across a network once they are inside."
One particular area of vulnerability mentioned in the Microsoft report is that of leftover administrative permissions.
It's a common bad practice, said Gal Diskin, co-founder and CTO at Authomize, a cybersecurity company.
"Organizations forget to remove these privileged permissions," Diskin told Data Center Knowledge. That leaves doors open for attackers.
"This exposure is hard to detect," he said, especially if these abandoned accounts aren't part of a federated access management system.
Diskin suggested that data center cybersecurity managers audit permissions and remove inactive and unused ones, and monitor for changes in permissions and usage – and demand that their IT suppliers do the same for their own systems.
These accounts don't just belong to people who no longer use them, he added.
According to Authomize research, 20% belong to systems, not people, and, of those, 80% are inactive and 30% have administrative privileges. They are often used to carry out important automated tasks, he said. "So compromising one may give the attackers significant privileges inside your organization."