2021-10-25
Nobelium is Targeting Global IT Supply Chain Again
In a blog post, Microsoft says that they have observed new activity from the Nobelium cyberthreat actor. Nobelium has been linked to Russian foreign intelligence and was responsible for the Solar Winds attacks. The most recent activity is targeting “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.” Microsoft has released advice for mitigation and remediation.
Editor's Note
The key point here is that managed service providers are often granted admin privileges on customer systems and these “… delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators.“ When signing on for cloud services, all such delegated admin privileges should be minimized and processes need to be establish to ensure that they are removed whenever that service provider is terminated.

John Pescatore
Monitor all accounts with administrative privileges, whether used for insourced or outsourced support. Make sure that your account disablement procedures include provisions for changes of staff at a MSP and that they are not all using the same account, just as you would with your staff. If you terminate an external support contract, make sure all associated accounts and access is also disabled or deleted promptly.

Lee Neely
Another way to look at this is the SolarWinds attack was so successful, and the cost was so minimal, that Russian Intelligence has simply accelerated their efforts to continue to infiltrate and/harvest as much as they can targeting 3rd party infrastructure. Makes you wonder just how many of their attacks have been successful and we have yet to discover them.

Lance Spitzner
Caveat Emptor cannot address the supply chain as a means of distributing malicious code. Neither can we simply accept the risk. We must hold suppliers accountable, if not for the quality of their own code, at least when they recklessly distribute the code of others. Am I the only one that thinks that our tools and processes for managing the quality and content of software are inadequate?

William Hugh Murray
Read more in
Microsoft: New activity from Russian actor Nobelium
Microsoft: NOBELIUM targeting delegated administrative privileges to facilitate broader attacks
The Register: SolarWinds attacker on the move: Russia's Nobelium crew has trebled attacks targeting MSPs, cloud resellers, says Microsoft
SC Magazine: Nobelium compromises at least 14 resellers and IT service providers, Microsoft warns
ZDNet: SolarWinds hackers, Nobelium, once again strike global IT supply chains, Microsoft warns