Geeks for your information
Nobelium Phishing Campaign Poses as USAID - Printable Version

+- Geeks for your information (https://www.geeks.fyi)
+-- Forum: News (https://www.geeks.fyi/forumdisplay.php?fid=105)
+--- Forum: Privacy & Security News (https://www.geeks.fyi/forumdisplay.php?fid=107)
+--- Thread: Nobelium Phishing Campaign Poses as USAID (/showthread.php?tid=15171)



Nobelium Phishing Campaign Poses as USAID - silversurfer - 28 May 21

Quote:The cybercriminal group behind the notorious SolarWinds attack is at it again with a sophisticated mass email campaign aimed at delivering malicious URLs with payloads enabling network persistence so the actors can conduct further nefarious activities.
 
Microsoft Threat Intelligence Center (MSTIC) began tracking this latest campaign of Nobelium (previously known as Solarigate) in late January when it was in the reconnaissance stage, and observed as it “evolved over a series of waves demonstrating significant experimentation,” according to a blog post by the Microsoft 365 Defender Threat Intelligence Team.
 
On Tuesday, researchers observed an escalation in the effort as the threat group began masquerading as a U.S.-based development organization to distribute emails – including the malicious URLs – using a legitimate mass-emailing service, Constant Contact, they said. The threat actors targeted a wide variety of organizations and industry verticals.
 
In addition to the widely disruptive SolarWinds incident, Nobelium is also the group behind the Sunburst backdoor, Teardrop malware and GoldMax malware. The group historically has targeted a wide range of organizations, including government institutions, NGOs, think tanks, the military, IT service providers, health technology and research companies and groups, and telecommunications providers.
 
The targets in the latest attack, which is ongoing, are 3,000 individual accounts across more than 150 organizations, “employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time,” researchers observed.
 
During the SolarWinds attack, Nobelium infected targets by pushing out the custom Sunburst backdoor via trojanized product updates to nearly 18,000 organizations around the globe. In this way, the attack, which started in March 2020, remained undetected until December, giving the attackers time to pick and choose which organizations to further penetrate and resulting in a sprawling cyberespionage campaign that significantly affected the U.S. government and tech companies, among others.
 
There are a number of key differences between that attack and this latest campaign, which researchers attributed to “changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” they said.

Read more: Nobelium Phishing Campaign Poses as USAID | Threatpost