Nobelium, After SolarWinds, Has Now Hit Microsoft

Nobelium, After SolarWinds, Has Now Hit Microsoft

Nobelium, the group that gained notoriety for its supply chain attack on SolarWinds, has now hit Microsoft. In the SolarWinds attack, the APT infiltrated nine US federal agencies and about 100 US companies and stole sensitive information from them.

This time, last Friday, Microsoft said that the APT was able to plant malware on the computer of one of its support agents and steal account information from a small number of customers. The actor later used this information to launch highly targeted attacks, the company said.

Microsoft is currently investigating an issue where its support agents were configured with minimal permissions required for secure access to customer information.

Redmond had to deal with a number of threats recently. A month ago, it reported a phishing campaign conducted by Nobelium that impersonated USAID. Around 3,000 accounts were targeted during the campaign, which were hit through phishing emails.

In its latest security update, Microsoft said it has seen an increase in the number of attacks using brute-force and password spray.

“This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised — we are aware of three compromised entities to date,” it said. “All customers that were compromised or targeted are being contacted through our nation-state notification process.”

On Friday, in a second post, Microsoft admitted that an actor managed to get a malicious driver signed by the company.

“The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time,” the company said.

The company says the actor’s goal is to use the driver to spoof their geo-location and play from anywhere, gain an advantage in games, and exploit other players by compromising their accounts with keyloggers.

Due to an incident on April 30, Microsoft has been reviewing its policies and processes related to driver signing and validation. The company will block the malicious drivers through its Defender applications.

Meanwhile, Microsoft recommended using zero trust and multi-factor authentication to protect environments.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.