{"id":7439,"date":"2021-07-19T17:36:34","date_gmt":"2021-07-20T00:36:34","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7439"},"modified":"2023-04-20T02:31:16","modified_gmt":"2023-04-20T09:31:16","slug":"solarwinds-attackers-at-it-again-in-back-to-back-campaigns","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/solarwinds-attackers-at-it-again-in-back-to-back-campaigns\/","title":{"rendered":"SolarWinds\u2014Attackers at It Again in Back-to-Back Campaigns"},"content":{"rendered":"<p style=\"text-align: justify;\"><strong>Nobelium, the APT group behind the infamous attack on SolarWinds, has resurfaced in two recent campaigns against US-based IT companies and government organizations. Check out Securin\u2019s analysis of 18 vulnerabilities used by the group to exploit and infiltrate their targets.\u00a0<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">In the last week of <a href=\"https:\/\/threatpost.com\/russian-attackers-breach-microsoft\/167340\/\" target=\"_blank\" rel=\"noopener\">June 2021<\/a>, the attackers behind the infamous SolarWinds supply chain incident were back again, targeting Microsoft&#8217;s corporate network. The group is said to have stolen credentials from one of its customer service agents and used the information to launch attacks against other Microsoft clients, compromising at least three customer accounts.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">Earlier, in <a href=\"https:\/\/www.securityweek.com\/us-says-agencies-largely-fended-latest-russian-hack?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+securityweek+%28SecurityWeek+RSS+Feed%29\" target=\"_blank\" rel=\"noopener\">May 2021<\/a>, the same group was identified impersonating a US government agency. The cyberattack piggybacked on a marketing email account of the US Agency for International Development (USAID) and managed to reach 3,000 email accounts across 150 different organizations. However, the White House claims that the intruding attempts were curbed, by and large, and the &#8220;noisy&#8221; campaign did not cause much damage.<\/p>\n<blockquote>\n<p dir=\"ltr\" style=\"text-align: justify;\">Dubbed the Nobelium campaign, the attacks have been attributed to the Russian state-sponsored threat group Nobelium, which has been operational since 2008. The group is also known as APT29, Cozy Bear, The Dukes, and UNC2452 and has 11 other aliases.<\/p>\n<\/blockquote>\n<p style=\"text-align: justify;\">More recently, in early July, the APT29 group was <a href=\"https:\/\/www.securitymagazine.com\/articles\/95614-gop-allegedly-hacked-by-apt29-known-as-cozy-bear\" target=\"_blank\" rel=\"noopener\">deemed responsible<\/a> for an attack on the American Grand Old Party or the Republican Party.<\/p>\n<h2 dir=\"ltr\" style=\"text-align: justify;\">Vulnerabilities in APT 29\u2019s Radar<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\">Securin\u2019s dynamic threat database has mapped 18 CVEs to APT29, popularly called the Nobelium group. Here is our analysis of these vulnerabilities:<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 100%; height: 100%;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/nobelium-cves.png\" alt=\"CVEs exploited by Nobelium\" \/><\/p>\n<h3 dir=\"ltr\" style=\"text-align: justify;\">Exploits and Trends<\/h3>\n<ul style=\"text-align: justify;\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Fourteen CVEs are capable of remote code execution, while eight CVEs have associated WebApp exploits, with a few having both capabilities.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Twelve of the associated vulnerabilities are recently trending CVEs, according to Google Trends.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The oldest vulnerability exploited by Nobelium is from 2009, and three CVEs were newly discovered this year.<\/p>\n<\/li>\n<\/ul>\n<h3 dir=\"ltr\" style=\"text-align: justify;\">Severity and Weaknesses<\/h3>\n<ul style=\"text-align: justify;\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">A severity analysis of the CVEs brings out 11 vulnerabilities that have been deemed critical by CVSS V3 scoring and three high-ranked ones.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Three CVEs have CVSS V3 scores lesser than eight, illustrating that low-scoring vulnerabilities are also ripe targets for exploitation.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Twelve weaknesses power these vulnerabilities, seven of which feature in MITRE\u2019s Top 25 CWEs of 2020.<\/p>\n<\/li>\n<\/ul>\n<h3 dir=\"ltr\" style=\"text-align: justify;\">Products and Vendors<\/h3>\n<ul>\n<li dir=\"ltr\" style=\"text-align: justify;\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">There are five vulnerabilities, including CVE-2020-0674 and CVE-2021-26855, across 35 different products from Microsoft that have been recently trending.<\/p>\n<\/li>\n<li dir=\"ltr\" style=\"text-align: justify;\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Other than Microsoft, the vulnerabilities are present across products of vendors, including Pulse Secure, Citrix, Fortinet, Cisco, Mozilla, Elastic, Redhat, Sycamore, Oracle, VMware, Apple, and F5.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">Fourteen F5\u00a0 products that provide multi-cloud security and application services are vulnerable to CVE-2020-5902, which can be exploited remotely.<\/p>\n<\/li>\n<\/ul>\n<h3 dir=\"ltr\">Patches and Weaponization<\/h3>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">All vulnerabilities have patches available. Considering the fact that these vulnerabilities led to the biggest cyberattack of recent times, organizations should prioritize them for patching immediately.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">Interestingly, Securin called out CVE-2021-26855 in the <a href=\"https:\/\/cybersecurityworks.com\/ransomware\/\" target=\"_blank\" rel=\"noopener\">Ransomware Spotlight report Q1 update<\/a> for how rapidly it was weaponized and started trending in the wild.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><img decoding=\"async\" class=\"aligncenter\" style=\"height: 85px; width: 700px;\" src=\"https:\/\/lh4.googleusercontent.com\/dl8mdYt9eb9Mtq0TDu44vhl43nSVZmIQlE1la_rAC1e1QUJ8_pV5iqnaUtGGS5fZqqvM2i8PMeHWZr6h9RJdGSv51cwrnR6lQpbRp5pXciDGo7AFRWHD_8AOhGe7dvM3e2u2vzEO\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><strong>Securin warned about seven (7) vulnerabilities in APT29\u2019s collection in our Ransomware Reports published in February and May 2021.<\/strong><\/p>\n<table style=\"width: 200px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>CVEs called out by Securin<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">CVE-2015-1641<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">CVE-2018-13379<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">CVE-2019-11510<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">CVE-2019-19781<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">CVE-2019-2725<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">CVE-2020-5902<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">CVE-2021-26855<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<blockquote><p>APT29 has been identified as deploying the Maze ransomware while targeting victims.<\/p><\/blockquote>\n<h2 dir=\"ltr\">APT29\u2014Attack Methodology<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\">The initial vector in the government agencies\u2019 attack was a phishing campaign. The hackers masqueraded as the government body and sent emails to different accounts across international development, humanitarian, and human rights organizations. The attempt was majorly thwarted as automated systems detected unusual email activity and blocked them. However, the emails that did manage to get through contained beacon malware, which\u2014when clicked\u2014allowed for a system compromise.<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\">The figure below shows a sample phishing email.<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 8px;\"><em>Image Source: <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/05\/27\/new-sophisticated-email-based-attack-from-nobelium\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.microsoft.com\/security\/blog\/2021\/05\/27\/new-sophisticated-email-based-attack-from-nobelium\/<\/a><\/em><\/span><\/p>\n<p dir=\"ltr\"><img decoding=\"async\" class=\"aligncenter\" style=\"height: 450px; margin-left: 200px; margin-right: 200px; width: 346px;\" src=\"https:\/\/lh3.googleusercontent.com\/bWFRgk9KHXZxoEUzgP79RIO4GTEGmoYKKk3a1ZsLm96nip6Rn45Y5jw2IGDSNXMFTVFPuwTbRGf3NvZUp79wCJeJNi_9Kc6_Pbn9Bc2Ud_Orcpk8Q6duuKnjJZrVt6qtKUMWPBmK\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">In the case of the Microsoft attack, the group used password spraying and brute-force attacks to extract passwords that could help gain entry into customer accounts.<\/p>\n<h2 dir=\"ltr\">MITRE ATT&amp;CK and Mapping<\/h2>\n<p dir=\"ltr\">We have listed the tactics adopted by the APT29 group in the Nobelium campaign.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 800px; height: 445px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/nobelium-mitre-attck-mapping.png\" alt=\"Nobelium MITRE Attack Map\" \/><\/p>\n<div id=\"code_area\">\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>IOCs (SHA 256)<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">A4B790DDFFB3D2E6691DCACAE08FB0BFA1AE56B6C73D70688B097FFA831AF064<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">65495D173E305625696051944A36A031EA94BB3A4F13034D8BE740982BC4AB75<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">58D8E65976B53B77645C248BFA18C3B87A6ECFB02F306FE6BA4944DB96A5EDE2<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">83014AB5B3F63B0253CDAB6D715F5988AC9014570FA4AB2B267C7CF9BA237D18<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">0C5AD1E8FE43583E279201CDB1046AEA742BAE59685E6DA24E963A41DF987494<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">F622D031207D22C633CCEC187A24C50980243CB4717D21FAD6588DACBF9C29E9<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">FD3969D32398BBE3709E9DA5F8326935DDE664BBC36753BD41A0B111712C0950<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">E3D6057B4C2A7D8FA7250F0781EA6DAB4A977551C13FE2F0A86F3519B2AAEE7A<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">F3AF394D9C3F68DFF50B467340CA59A11A14A3D56361E6CFFD1CF2312A7028AD<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">E329607379A01483FC914A47C0062D5A3A8D8D65F777FBAD2C5A841A90A0AF09<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">DD3DA0C596FD699900CDD103F097FE6614AC69787EDFA6FA84A8F471ECB836BB<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">D7E7182F498440945FC8351F0E82AD2D5844530EBDBA39051D2205B730400381<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">BEC1981E422C1E01C14511D384A33C9BCC66456C1274BBBAC073DA825A3F537D<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">C1A0B73BAD4CA30A5C18DB56C1CBA4F5DB75F3D53DAF62DDC598AAE2933345F3<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">B75A5BE703D9BA3721D046DB80F62886E10009B455FA5CDFD73CE78F9F53EC5A<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">A3CA47E1083B93EA90ACE1CA30D9EF71163E8A95EE00500CBD3FD021DA0C18AF<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">A117B2A904C24DF62581500176183FBC282A740E4F11976CDFC01FE664A02292<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">A03A71765B1B0EA7DE4FBCB557DCFA995FF9068E92DB9B2DADA9DD0841203145<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">93E9383AE8AD2371D457FC4C1035157D887A84BBFE66FBBB3769C5637DE59C75<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">953B5FC9977E2D50F3F72C6CE85E89428937117830C0ED67D468E2D93AA7EC9A<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">92A856A2216E107496EE086E1C8CFE14E15145E7A247539815FD37E5A18B84D9<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">8749C1495AF4FD73CCFC84B32F56F5E78549D81FEEFB0C1D1C3475A74345F6A8<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">84B846A42D94431520D3D2D14262F3D3A5D96762E56B0AE471B853D1603CA403<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">797159C202CA41356BEE18C5303D37E9D2A43CA43D0CE02E1FD9E7045B925D11<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">7C39841BA409BCE4C2C35437ECF043F22910984325C70B9530EDF15D826147EE<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">4C8671411DA91EB5967F408C2A6FF6BAF25FF7C40C65FF45EE33B352A711BF9C<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">5CA4A9F6553FEA64AD2C724BF71D0FAC2B372F9E7CE2200814C98AAC647172FB<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">49BFFF6B91EE71BBF8FD94829391A36B844FFBA104C145E01C92732ADA52C8BA<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">2DABA469F50CD1B77481E605AEAE0F28BF14CEDFCD8E4369193E5E04C523BC38<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">21129AD17800B11CDB36906BA7F6105E3BD1CF44575F77DF58BA91640BA0CAB9<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">2285A264FFAB59AB5A1EB4E2B9BCAB9BAF26750B6C551EE3094AF56A4442AC41<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">14E9B5E214572CB13FF87727D680633F5EE238259043357C94302654C546CAD2<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">1FED2E1B077AF08E73FB5ECFFD2E5169D5289A825DCAF2D8742BB8030E487641<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">0B8E6A11ADAA3DF120EC15846BB966D674724B6B92EAE34D63B665E0698E0193<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">03E9ADAE529155961F1F18212FF70181BDE0E3DA3D7F22961A6E2B1C9DA2DD2E<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">0322C4C2D511F73AB55BF3F43B1B0F152188D7146CC67FF497AD275D9DD1C20F<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">00654DD07721E7551641F90CBA832E98C0ACB030E2848E5EFC0E1752C067EC07<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">4DEC3EEEFCEC013F142386D5C54099D3DAA2B48D559434DB1D4F2078D704DA1B<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">0F04F199327D0D076815190DC024F4A6B0F27899D50D28E94662820AB9C945D2<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">478B04C20BBF6717D10EE978B99339B7C4664FEBC8BCFDAF86C3F0FBFC83A5C5<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">85E72976B9448295034A8D4C26462B8F1EBE1CA0A4E4B897C7F2404D0DE948C2<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">11DF3B7B4EE24E1EBC8901058EC0A7EEF7CDF79227A2E3B4E5ED31A110B94ED7<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">B132579DA1340654277945EBA64EC9E93D058E4B2057BDC4410F3B583009002C<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">398B112EF1BD32C81A49BED31AE7216D3C1DA89924755B0A478A1CDB1B4E0A6D<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">07F9076BF3499974883F4344FDAF51B2261B20D992B069378C4D16F4BFC93AF6<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">1A8D8A209D46ADA8966ED371EE2E28079B9DCEF0B37E85C8024D86C427E1017B<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">B77FF307EA74A3AB41C92036AEA4A049B3C2E69B12A857D26910E535544DFB05<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">68B2524160410A18CD61BA66D9699CDFDE6A4C7FFC207667D20C90FA84A03A87<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">D0D626DEB3F9484E649294A8DFA814C5568F846D5AA02D4CDAD5D041A29D5600<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">4E8F24FB50A08C12636F3D50C94772F355D5229E58110CCCB3B4835CB2371AEC<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">6B01EEEF147D9E0CD6445F90E55E467B930DF2DE5D74E3D2F7610E80F2C5A2CD<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">CB80A074E5FDE8D297C2C74A0377E612B4030CC756BAF4FFF3CC2452EBC04A9C<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">E9DDF486E5AEAC02FC279659B72A1BEC97103F413E089D8FABC30175F4CDBF15<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">EC5F07C169267DEC875FDD135C1D97186B494A6F1214FB6B40036FD4CE725DEF<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">F2A8BDF135CACA0D7359A7163A4343701A5BDFBC8007E71424649E45901AB7E2<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">7E05FF08E32A64DA75EC48B5E738181AFB3E24A9F1DA7F5514C5A11BB067CBFB<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">BBD16685917B9B35C7480D5711193C1CD0E4E7CCB0F2BF1FD584C0AEBCA5AE4C<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">B9A2C986B6AD1EB4CFB0303BAEDE906936FE96396F3CF490B0984A4798D741D8<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">611458206837560511CB007AB5EEB57047025C2EDC0643184561A6BF451E8C2C<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 9px;\">9B33EC7F5E615A6556F147B611425D3CA4A8879CE746D4A8CB62ADF4C7F76029<\/span><\/p>\n<\/div>\n<h2 dir=\"ltr\">Targeted Sectors and Countries<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\">An analysis of the Nobelium campaign shows multiple sectors being targeted: Pharmaceuticals and Biotechnology, Aerospace and Defense, Media and Entertainment, Telecommunications, Energy and Natural Resources, Law, Information Technology, Consulting, Healthcare, Healthcare Providers, Finance, Education, and Research.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">The campaign was carried out across Belgium, Israel, Italy, the United States, Turkey, India, Luxembourg, the United Kingdom, Canada, Chile, France, Mexico, Germany, Thailand, Switzerland, Denmark, the United Arab Emirates, Bulgaria, Spain, Ireland, and Singapore.<\/p>\n<h2 dir=\"ltr\">Exposure<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\">The following are the results of the Nobelium vulnerabilities that have a direct CVE exposure, according to Shodan. Cumulatively, these amount to over 20,000 exposed instances where attackers have a clear advantage.<\/p>\n<table style=\"width: 600px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>CVE-2020-5902 (F5 vulnerability)<\/strong><\/td>\n<td style=\"text-align: center;\"><strong>CVE-2019-19781 (Citrix vulnerability)<\/strong><\/td>\n<\/tr>\n<tr>\n<td><img decoding=\"async\" style=\"width: 151px; height: 200px;\" src=\"https:\/\/lh4.googleusercontent.com\/MrGNCKj35JxCKr8jqXjRfH8LRODbOdsquAU0AYoSF760-9siUEzz_acrUnitKJ0Y-QRpVGJYc6LIF2fzmrnV8jIdyQSol7Nr890cyXrWCnfY8DwZ5ffofGakrLW7RDqoy2s0B4vL\" \/><\/td>\n<td><img decoding=\"async\" style=\"width: 150px; height: 200px;\" src=\"https:\/\/lh5.googleusercontent.com\/NksFvvudM09udN7nQpFtKpsY1WOjeR_2kyrMW-TyeRbNbU_TrpBTb3uqkTTwzk9GTuY-OrCpoLOwI_vrfrkdVVhAQjaJLOFp-pBE5sZTFGNRRnBYbakxsg-s7MNULv3ky4l6j-KW\" \/><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><strong>CVE-2019-1653 (Cisco vulnerability)<\/strong><\/td>\n<td style=\"text-align: center;\"><strong>CVE-2019-11510 (Pulse Secure)<\/strong><\/td>\n<\/tr>\n<tr>\n<td><img decoding=\"async\" style=\"width: 150px; height: 200px;\" src=\"https:\/\/lh5.googleusercontent.com\/7ZcZQK1Yb0lvAhLBYoZeAoBowjL9Va3Kn6Olu1zEl0stXZXdB1Mb0N9TvSvlp1z9y03oUy6S-CONacAkoMg9B_N_V8DeCDmiz37jQmOsoIyS3J3B_85MgZ66DjmsPPrFo-sv4gf8\" \/><\/td>\n<td><img decoding=\"async\" style=\"width: 150px; height: 203px;\" src=\"https:\/\/lh5.googleusercontent.com\/vzFPUtJLV2HdWzZqABzhQOwwFcbaxQo8vx2DcWnPGbWbLy0ak4nfB1qf2g2rBO8ssGVqFL0Fq4Xk-WpICH_m4JdBdeFCbS8bKSQJB3oA9gymkWBZrA55QQvM5qlf8zr67MSEydhb\" \/><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" colspan=\"2\"><strong>CVE-2021-26855 (Exchange server RCE)<\/strong><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\"><img decoding=\"async\" style=\"width: 150px; height: 200px; margin-left: 200px; margin-right: 200px;\" src=\"https:\/\/lh5.googleusercontent.com\/d4xux306V94U9OpxCrMQdbEsLkhvoJDSDexO_0uyhBN4hhgBoVFWtpEW5OW5H-Z8dmRhg3TI65_5W4WTxek5Nqxo4IzDAdSsAoSCRKINY0wROA1FAcgwUEJ_a4iAZJhjnJTqGA0N\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\"><strong>Given the history of APT29, CISA published a <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/05\/27\/microsoft-announces-new-campaign-nobelium\" target=\"_blank\" rel=\"noopener\">warning<\/a> by Microsoft on May 27, 2021, describing the campaign as sophisticated, one that <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/05\/27\/new-sophisticated-email-based-attack-from-nobelium\/\" target=\"_blank\" rel=\"noopener\">evolved<\/a> over the course of five\u00a0months.<\/strong><\/p>\n<h2 dir=\"ltr\">Increasing Attacks Demand a Change in the Cybersecurity Strategy<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\">While the recent Nobelium campaigns seem to have been subdued compared to the SolarWinds impact, we can see increasing attacks on organizations in the US by Russia-backed actors and associated ransomware groups. Beginning with the impactful Colonial Pipeline attack, followed by the Ireland Health Service Executive (HSE) attack, the JBS attack, the Nobelium campaign, the SolOriens attack, and the recent Microsoft campaign, Russian APT groups are directly or indirectly linked to this flurry of high-profile cyberattacks. Propelled by these findings, cybersecurity was discussed as a priority in the recently concluded <a href=\"https:\/\/www.reuters.com\/world\/wide-disagreements-low-expectations-biden-putin-meet-2021-06-15\/\" target=\"_blank\" rel=\"noopener\">summit<\/a> between Russian President Vladimir Putin and US President Joe Biden.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">Today\u2019s cybercrime activities are moving toward high-impact attacks, posing a high risk to all organizations alike, including federal entities. Organizations need to shift from a defensive mindset to an offensive approach to stay ahead of threat actors. This calls for a rigorous analysis of an organization\u2019s risk exposure, backed by a well-informed database that enables the organization to evaluate looming threats and deal with the ones that matter the most.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><strong>We urge all organizations to patch the vulnerabilities on priority in order to avoid another supply chain attack.<\/strong><\/p>\n<p style=\"text-align: justify;\"><strong>Read on to learn more about our analysis of the group and patch the associated vulnerabilities before it is too late.<\/strong><\/p>\n<p style=\"text-align: justify;\"><strong>{Update September 03, 2021}:\u00a0<\/strong>Autodesk, a US-based software company known for its 3D computer-aided design and modeling tools software AutoCAD, has <a href=\"https:\/\/www.theregister.com\/2021\/09\/02\/autodesk_solarwinds_hack_victim\/\" target=\"_blank\" rel=\"noopener\">revealed<\/a> that one of its servers was backdoored with the Sunburst malware during the SolarWinds supply chain attack in December 2020. Clearly, attacks are becoming more sophisticated, with organizations realizing the breach only months later and its impact being felt a long time after the attack.<\/p>\n<p style=\"text-align: justify;\"><strong>{Update September 30, 2021}<\/strong>:\u00a0After being <a href=\"https:\/\/thehackernews.com\/2021\/07\/experts-uncover-several-c-servers.html\" target=\"_blank\" rel=\"noopener\">associated <\/a>with the WellMess malware in July 2021, the Nobelium group has now been identified as deploying two new backdoors, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-tomiris-backdoor-likely-developed-by-solarwinds-hackers\/\" target=\"_blank\" rel=\"noopener\">Tomiris<\/a> and <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-nobelium-uses-custom-malware-to-backdoor-windows-domains\/\" target=\"_blank\" rel=\"noopener\">FoggyWeb<\/a>. These have been recently trending, giving us enough reasons to believe that the threat group is slowly developing its techniques and tactics.<\/p>\n<p style=\"text-align: justify;\"><strong>{Updated\u00a0November 02, 2021}: <\/strong>On October 24, 2021, researchers noticed new tactics and techniques being used by the Nobelium group. The Nobelium group is trying to replicate an older approach that targets companies integral to the global IT supply chain. The intention is to attack resellers and other service providers who customize, manage, and deploy cloud services on behalf of the customer. The attack campaigns targeting resellers and service providers observed thus far have not exploited any software vulnerability but are using well-known techniques, such as password phishing and spraying, to steal legitimate credentials in the hope of gaining privileged access.<\/p>\n<p style=\"text-align: justify;\"><strong>{Updated on February 08, 2022}:<\/strong> The threat actor behind the SolarWinds supply chain attack, Nobelium, has been continually expanding its malware arsenal, with the newest additions being two sophisticated malware families\u2014GoldMax, a Linux variant and TrailBlazer, a new implant\u2014that were recently discovered on a victim network.<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\" target=\"_blank\" rel=\"noopener\">Securin can help organizations improve their security posture!<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nobelium, the APT group behind the infamous SolarWinds attack, has resurfaced in two recent campaigns against US-based IT companies and government organizations. Check out Securin\u2019s analysis about 18 vulnerabilities used by the group to exploit and infiltrate their targets.<\/p>\n","protected":false},"author":1,"featured_media":7440,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[82,80,81,123],"tags":[107,209,352,372,116,357,207,395,338,373],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7439"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7439"}],"version-history":[{"count":8,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7439\/revisions"}],"predecessor-version":[{"id":17892,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7439\/revisions\/17892"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7440"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}