Microsoft reports new phishing attacks targeted staff at 150 US government agencies and related organisations.
The attack was allegedly carried out by Nobelium, the same group that carried the SolarWinds attack recently. Threat actor Nobelium has been observed targeting government agencies, think tanks, consultants, and non-governmental organisations.
Organisations in the US received the largest share of attacks but the wave targeted approximately 3,000 email accounts at more than 150 different organisations, with victims spanning at least 24 countries. Microsoft observed at least a quarter of the attacks targeted organisations involved in international development, humanitarian and human rights work.
Nobelium, originating from Russia, launched the attacks by gaining access to the Constant Contact account of USAID. Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor called NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.
After seeing phishing attacks increase, Charlie Gero at Akamai's Security Technologies Group said the focus for end users should be on "the acceptance that everywhere on the internet can be dangerous", instead of keeping end users away from hotspots on the world wide web.
“Nobelium is doing something pretty interesting. They are storing their malware on domains that people don’t block, like Google Firebase and Dropbox. They are effectively laundering their malware through trusted SaaS providers," Gero said.
"This means protection at the DNS layer, while critically important, is obviously not enough. You need content inspection too, and that’s where SWGs (Secure Web Gateways) come into play.
"It expands the protections from focusing on keeping end users away from dangerous areas on the internet to accepting that everywhere can be dangerous, and thus scanning for viruses, performing sandboxing, etc, is a must."
Nobelium is the same threat actor behind the attacks on SolarWinds customers in 2020. These attacks appear to target government agencies involved in foreign policy as part of intelligence gathering efforts.
The new way Nobelium's phishing attacks has "confirmed Zero Trust" in a different use case, Gero added. The important takeaway from these fresh attacks is that end users "should always scan and verify information" instead of trusting content sent by other users based on location.
"In the past, we trusted users based on their location (inside the perimeter), but today we recognise that is bad and we need to verify each access based on identity, risk, and more," Gero said.
"We still often trust data based on its location [for example] 'it’s on Dropbox, and my company trusts Dropbox, so we’re good'.
"As we see, criminals are increasingly relying on this mistake of trusting content by location in order to get around enterprise protections."