Phishing attack NOBELIUM hackers' Microsoft 365 from the - www.microsoft365managerplus.com
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
How to protect
Microsoft 365 from the
NOBELIUM hackers'
phishing attack
www.microsoft365managerplus.com
Table of contents
What is NOBELIUM 1
Spear phishing email campaign by NOBELIUM 1
Delivery techniques adopted by NOBELIUM 2
Technique 1: 2
Technique 2: 2
Technique 3: 2
Technique 4: 3
Evolved delivery technique 3
Mitigation techniques 5
Find the unmanaged devices 5
Enable multi-factor authentication (MFA) 6
Create content search profiles 6
Enable auditing and create alerts 6
Conclusion 7
Indicators of Compromise 7
www.microsoft365managerplus.comWhat is NOBELIUM?
NOBELIUM is the threat actor behind a devastating supply chain
cyberattack in December 2020, Sunburst backdoor, Teardrop malware,
GoldMax malware, and other ongoing threats. Often called by a variety
of names, Microsoft Threat Intelligence Center (MSTIC) has named it
NOBELIUM.
NOBELIUM's malwares historically targeted government organizations,
non-government organizations, think tanks, military, IT service
providers, health technology and research, and telecommunications
providers. NOBELIUM'S latest email attack, impacted approximately
3,000 individual accounts across more than 150 organizations.
Spear phishing email
campaign by NOBELIUM
The NOBELIUM email campaign differed significantly from the
NOBELIUM operations that ran from September 2019 until January 2021.
Previously known for facilitating the GoldMax, Sibot, and GoldFinder
malwares, NOBELIUM's email campaign was completely different from
its previous modus operandi. This malicious email campaign was
uncovered by MSTIC in January 2021. The campaign reached its peak as
NOBELIUM leveraged the legitimate mass-mailing service Constant
Contact to masquerade as a United States-based development
organization and distribute malicious URLs to a wide variety of
organizations.
In this e-book we cover attacker motives, malicious behavior, and best
practices to protect against this spear phishing email campaign.
www.microsoft365managerplus.com 1Delivery techniques adopted
by NOBELIUM
MSTIC discovered a wave of phishing emails that leveraged the Google Firebase platform to stage an
ISO file containing malicious content, and security organization also recorded attributes of those who
accessed the URL. The threat actor kept changing their delivery techniques making it difficult to detect
them.
Technique 1
NOBELIUM attempted to compromise systems with an HTML attachment that, when opened, wrote an
ISO hosted in Firebase file in the hard disk and encouraged the target to open it. The opened ISO file was
mounted like a network drive and this allowed a shortcut file LNK to execute a DLL embedded within the
ISO which, in turn, executed a Cobalt Strike Beacon.
Spear phishing mail html attachment .iso file Malicious LNK Cobalt Strike
Beacon
Technique 2
Instead of hosting the ISO file in Firebase, it was encoded within the HTML file. The rest of the steps
remained the same as the previous technique.
Technique 3
In this technique, the HTML file redirected the target to an ISO file which contained an RTF document
encoded with Cobalt Strike Beacon.
.html attachment Redirected to .iso file with RTF Malicious
document Cobalt Strike Beacon DLL
www.microsoft365managerplus.com 2Technique 4
In this final experiment, there was no HTML file. Instead, all the phishing emails came with a URL which
redirected the targets to a spoof website where the ISO files were distributed.
Moreover, in more than one of the waves, no
ISO payloads were delivered. Instead, a
malicious URL was shared in the email which,
ImageURL Website spoofing Malicious ISO when clicked, ensured device profiling was
performed by an threat actor-controlled web
server.
Evolved delivery technique
In April 2021, the threat actor abandoned Firebase for ISO file hosting and victim tracking. They encoded
the ISO within the HTML document, which helped to store the target details on a remote server using the
api.ipify.org service.
On May 25, the NOBELIUM campaign reached its peak when it started to leverage the legitimate mass
mailing service Constant Contact. It targeted around 3,000 individual accounts across more than 150
organizations. The emails appeared to originate from USAID , and a Reply-To
address of was observed. One of the alert emails sent as a part of the campaign is
shown below.
Figure 1: One of the emails from the campaign
www.microsoft365managerplus.com 3The URL in the email directs the target to the legitimate Constant Contact service, which follows this
pattern:
1. https://r20.rs6[.]net/tn.jsp?f=
The user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:
1. https://usaid.theyardservice[.]com/d/
A malicious ISO file is then delivered to the system. Within this ISO file are the following files that are
saved in the %USER%\AppData\Local\Temp\\ path:
A shortcut, such as Reports.lnk, that executes a custom Cobalt Strike Beacon loader
A decoy document, such as ica-declass.pdf, that is displayed to the target
A DLL, such as Document.dll, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by
Microsoft
Figure 2. ISO file contents. The “Documents.dll” is a hidden file.
www.microsoft365managerplus.com 4The end result, when detonating the LNK file, is the
execution of “C:\Windows\system32\rundll32.exe
Documents.dll,Open”.
The successful deployment of these payloads enables
NOBELIUM to achieve persistent access to
compromised systems. Then, the successful execution
of these malicious payloads could enable NOBELIUM to
conduct action-on objectives, such as lateral
movement, data exfiltration, and delivery of additional
malware.
Figure 3. Shortcut which executes the hidden DLL file.
Mitigation techniques
Defending against the NOBELIUM isn't easy, but it can be accomplished efficiently if you utilize a
proactive monitoring, securing, managing, auditing, alerting, and reporting solution.
Find the unmanaged devices
Keep an eye on all the devices in your network. Identify the unmanaged devices and
take necessary actions.
How we can help:
No need to choose the networks to monitor and the devices to probe. With
ManageEngine M365 Manager Plus, once the tenants are configured, these
details are readily available in the form of reports. Device-related reports
provided by M365 Manager Plus include Azure AD Registered Devices,
Recently Created Devices, Registered Device vs Owners, Mobile Devices, and
30 more.
www.microsoft365managerplus.com 5Enable multi-factor authentication (MFA)
To mitigate compromised credentials MSTIC strongly recommends organizations
enable MFA for all user accounts.
How we can help:
Using the native Microsoft 365 tools allows you to enable MFA for user
accounts in bulk. But when it comes to choosing the mode of verification, each
user account has to be configured individually. With M365 Manager Plus,
enable and configure all the MFA settings for multiple user account in a single
session.
Create content search profiles
The Content Search module in M365 Manager Plus helps you identify emails with
malicious links and personally identifiable information.
How we can help:
The Content Search module scans emails received by the organization for
malicious links, specific keywords, senders, email subjects, and other email
attributes. For example, refer to the Indicators of Compromise (IoC) table
below. Emails sent by the attack group appear to be arriving from the
mentioned email addresses. With M365 Manager Plus, scan and receive a near
real-time email alert for emails from those senders.
Enable auditing and create alerts
Enable auditing for all critical user activities like nonowner mailbox accesses, failed
password attempts, file accesses after business hours, permission changes, and other
suspicious activities.
How we can help:
M365 Manager Plus comes with more than 500 built-in reports that can be
viewed in a single click and exported to various formats. In addition, custom
audit profiles can be created and delegated to technicians. Near real-time
email alerts can be configured for the user actions to enable instant
remediation.
www.microsoft365managerplus.com 6 6Conclusion
Becoming and staying informed about an attacker's motive and techniques helps us take proactive
actions to safeguard our organization. Choosing the best tool to harden security requires that you
purchase the Microsoft 365 Premium edition with all available features to make use of the benefits
provided by them. An affordable alternative is a comprehensive tool like M365 Manager Plus which
helps manage and protect your Microsoft 365 setup. Learn more about M365 Manager Plus here.
Indicators of Compromise
Indicator Type Description
ashainfo@usaid.gov Email Spoofed email account
mhillary@usaid.gov Email Spoofed email account
2523f94bd4fba4af76f4411fe61084a7e7d SHA-256 Malicious ISO file (container)
80dec163c9ccba9226c80b8b31252
d035d394a82ae1e44b25e273f99eae8e2 SHA-256 Malicious ISO file (container)
369da828d6b6fdb95076fd3eb5de142
94786066a64c0eb260a28a2959fcd31d6 SHA-256 Malicious ISO file (container)
3d175ade8b05ae682d3f6f9b2a5a916
48b5fb3fa3ea67c2bc0086c41ec755c39d SHA-256 Malicious shortcut (LNK)
748a7100d71b81f618e82bf1c479f0
ee44c0692fd2ab2f01d17ca4b58ca6c7f7 SHA-256 Cobalt Strike Beacon malware
9388cbc681f885bb17ec946514088c
ee42ddacbd202008bcc1312e548e1d9ac SHA-256 Cobalt Strike Beacon malware
670dd3d86c999606a3a01d464a2a330
usaid.theyardservice[.]com Domain Subdomain used to distribute ISO file
worldhomeoutlet[.]com Domain Subdomain in Cobalt Strike C2
dataplane.theyardservice[.]com Domain Subdomain used to distribute ISO file
cdn.theyardservice[.]com Domain Subdomain used to distribute ISO file
www.microsoft365managerplus.com 7static.theyardservice[.]com Domain Subdomain used to distribute ISO file 192[.]99[.]221[.]77 IP address IP resolved to worldhomeoutlet[.]com 83[.]171[.]237[.]173 IP address IP resolved to *theyardservice[.]com theyardservice[.]com Domain Actor controlled domain M365 Manager Plus is an extensive Microsoft 365 tool used for reporting, managing, monitoring, auditing, and creating alerts for critical incidents. With its user-friendly interface, you can easily manage Exchange Online, Azure Active Directory, Skype for Business, OneDrive for Business, Microsoft Teams, and other Microsoft 365 services from a single console.
You can also read
