Microsoft announced on Thursday May 27th that its Microsoft Threat Intelligence Center (MSTIC) had detected a wide scale malicious email campaign targeting around 3,000 accounts at 150+ organizations across 24 countries. This blog will discuss the details of what we know about this attack and how enterprises can protect themselves.
Nobelium a.k.a. Cozy Bear
This malicious email campaign launched on May 25th was carried out by the hacker group Nobelium, who also go by the name Cozy Bear and the Dukes. Nobelium was behind the massive SolarWinds hack from last year that is almost universally accepted as the largest and most sophisticated cyberattack in history. Nobelium has historically focused their attacks on government agencies and selective non-government organizations (NGOs).
Microsoft’s recent malware experience demonstrates the growing danger of cyberattacks in the enterprise.
Constant Contact Calling–Trust Me
In this attack, Nobelium accessed a compromised United States Agency for International Development (USAID) marketing account in Constant Contact to send out what appeared to be legitimate communication from USAID. These communications contained a legitimate Constant Contact link that was tied to a malicious link that downloaded the malware.
Spam Filters to the Rescue
Because of the high volume of email distributed in this campaign, most of the email was blocked and flagged as spam, however it’s likely that some of the early emails were delivered. The question is whether any of their intended targets clicked on the link in the email which would download the malicious payload.
SolarWinds 2.0
If the recipient clicks the links in the email and the malicious payload is successfully installed, the attackers will have access to the compromised system where they could then install additional malware, exfiltrate (steal) data, and attempt to move laterally within the network to access and compromise other systems. This is reminiscent of the SolarWinds attacks in that malicious software is installed allowing access, data exfiltration, and lateral movement in a way that’s intended to remain undetected.
Bottom Line
Enterprises need to ensure they have active anti-virus tools in place with the latest virus updates, and preferably have AI based tools that are much better at identifying malware with anomalous behaviors like this than signature based anti-virus tools. Aragon has consistently recommended the use of Multi-Factor Authentication (MFA) on all endpoints, both personal and servers, as protection against malicious attacks.