SolarWinds APT Targets Tech Resellers in Latest Supply-Chain CyberattacksOriginal article: https://threatpost.com/solarwinds-tech-resellers-supply-chain-cybe...
Click Here:- https://www.youtube.com/watch?v=RMq8BN_RBRc
The SolarWinds attackers – an advanced persistent threat (APT) known as Nobelium – have started a new wave of supply-chain intrusions, this time using the technology reseller/service provider community to attack their targets.
The activity has affected victims in North America and Europe thus far, researchers said, and the goal is espionage: Nobelium has been linked to the Russian government’s foreign intelligence service, known as SVR.
According to an analysis from Mandiant and Microsoft, Nobelium isn’t exploiting a vulnerability or, as was the case with SolarWinds, trojanizing legitimate code. Instead, it’s infiltrating reseller networks using tried-and-true tactics like credential-stuffing and phishing, as well as API abuse and token theft, in order to gather legitimate account credentials and privileged access to reseller networks.
From there, Nobelium attempts to pivot and land inside the networks of reseller customers downstream. Once inside a reseller network, it becomes much easier to impersonate the company and exploit the trusted relationship that reseller has with its customers, researchers pointed out.
“Mandiant has investigated multiple intrusions in 2021 where suspected Russian threat actors exploited supply-chain relationships between technology companies and their customers,” said Mandiant senior vice president and CTO Charles Carmakal, via email. “While the SolarWinds supply-chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government.”
Since May, Microsoft has observed Nobelium attacking more than 140 resellers and technology service providers, it said, with about 14 of them succumbing to compromise. However, in its writeup, issued Sunday, the software giant didn’t say how many downstream customers have been affected.
Mandiant’s Carmakal only said that the firm has seen successful intrusions into on-premises and cloud victim environments.
“This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor,” Carmakal said. “Investigating these intrusions requires collaboration and information-sharing across multiple victim organizations, which is ch allenging due to privacy concerns and organizational sensitivities.”