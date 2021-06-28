



Nobelium, a Russian-backed group notorious for SolarWinds supply chain hacking, backdoors to thousands of organizations before actually invading nine U.S. federal agencies and about 100 U.S. companies to steal information. Is the attack that was launched. Now it’s hitting Microsoft itself.

In a Friday update, Microsoft said it found “information-stealing malware” on one of its support agents’ machines that had access to “basic account information for a small number of customers.”

“Actors could use this information to launch targeted attacks as part of a broader campaign. They responded quickly, removed access, and protected their devices.” The company says.

“While investigations are underway, we can see that the support agent is configured with the minimum privileges required as part of the“ least privileged access ”approach to Zero Trust customer information. Notify all affected customers and keep your account secure. ”

Microsoft recommends using multi-factor authentication and a zero trust architecture to help protect your environment.

Redmond recently warned that Nobelium is conducting a phishing campaign impersonating USAID after managing its USAID account with Constant Contact on its email marketing platform.

According to Microsoft, the phishing campaign targets approximately 3,000 accounts related to government agencies, think tanks, consultants, and non-governmental organizations.

Microsoft said in a Friday update that “password spray and brute force attacks” continued.

“This recent activity has largely failed and most of the targets have not been successfully compromised. So far, we are aware of three compromised entities,” he said.

“All compromised or targeted customers are contacted through our nation-state notification process.”

The malware went through the normal Microsoft driver signing process

In a second post on Friday, Microsoft admitted that the malicious driver was signed by a software giant.

“The actor’s activities are particularly limited to the Chinese gaming sector and do not appear to be targeting the corporate environment. At this time, we do not attribute this to nation-state actors,” the company said. ..

“The actor’s goal is to use drivers to disguise their geographic location so that they can trick the system into playing from anywhere. Malware uses common tools such as keyloggers to compromise accounts. This can give you an edge in the game and exploit other players. ”

As a result of the incident, Microsoft said it would “sophisticate” the policy, verification, and signing process.

Microsoft added that the driver is blocked through the Defender application.

While Microsoft called the malware a driver, GData’s Karsten Hahn, who discovered the Netfilter malware, labeled it as a rootkit.

“At the time of writing, it’s still unclear how the driver can go through the signing process,” he writes.

According to Hahn, a search for Virustotal generated a sample signature dating back to March.

Netfilter has an update mechanism after accessing a specific IP address, installing a root certificate and updating proxy settings, Hahn said.

According to Microsoft, for the attack to work, the attacker must either have administrator privileges for the installer to update the registry key and install the driver, or convince the user to do it themselves. There is.

