29 June 21, 08:24
(This post was last modified: 29 June 21, 08:24 by silversurfer.)
Quote:The same group behind the SolarWinds supply-chain attacks has been targeting Microsoft’s corporate networks to gain access to specific organizations — primarily, U.S.-based IT and government organizations.
Microsoft officially announced the attacks after Reuters obtained an email sent to customers which explained that the threat group Nobelium stole customer-service-agent credentials to gain access and launch attacks against Microsoft customers.
“The Microsoft Threat Intelligence Center is tracking new activity from the Nobelium threat actor,” the software giant said in a blog post. “Our investigation into the methods and tactics being used continues, but we have seen password-spray and brute-force attacks.”
Nobelium is the internal Microsoft name for the group believed to be behind the SolarWinds attacks, which also goes by APT29, Cozy Bear and The Dukes. No matter the moniker, the group has been designated by the U.S. government as working with the Russian government.
“All customers that were compromised or targeted are being contacted through our nation-state notification process,” Microsoft said.
The Microsoft Threat Intelligence Team found 45 percent of their customers who were targeted in the attacks are in the U.S. — out of those, 57 percent are IT companies and 20 percent are government agencies.
In addition to password spraying and brute-force attacks, Microsoft said they found info-stealer malware aimed at specific customers.
“As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers,” Microsoft’s announcement said. “The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign.”
Read more: Attackers Breach Microsoft Customer Service Accounts | Threatpost