Powerful threat prediction, prevention, detection, and response along with compliance in a scalable, simple managed solution.
All-in-one networking solution that combines network connectivity, agility, security, and compliance in an affordable managed solution.
Accelerate business growth through our award-winning partner program.
Published: June 2, 2021
Netsurion’s Security Operations Center (SOC) has seen significant escalation of an email-based attack campaign by threat actor, NOBELIUM, and is issuing this security advisory to inform our customers and partners with additional information and recommended prevention and detection measures.
The Microsoft Threat Intelligence Center (MSTIC) has released information on the uncovering of a widespread malicious email campaign undertaken by the activity group that Microsoft tracks as NOBELIUM. NOBELIUM is also known as Cozy Bear, the Dukes, in addition to other aliases. It is also classified by the United States Federal Government as advanced persistent threat APT29. NOBELIUM was initially identified in November 2020, during an intrusion at a major cybersecurity organization. Microsoft security researchers identify NOBELIUM as the actor responsible for the 2020 compromise of the SolarWinds Orion platform, and subsequent activity targeting other Microsoft customer networks and cloud assets.
In addition, on May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID).
Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.
Malware NativeZone gets distributed, and this backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.
The bad actor will be able to distribute phishing emails that look authentic but include a link that, when clicked, successfully deploys the malware, NativeZone, and enables NOBELIUM to achieve persistent access to compromised machines.
If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern: https://r20.rs6[.]net/tn.jsp?f=
The user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:
A malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in the %USER%\AppData\Local\Temp\<random folder name>\ path:
EventTracker Endpoint Security detects and prevents the execution of this attack.
The payloads from these 3 components, as described in the Microsoft blog above, are detected by the EventTracker Endpoint Security agent.
Detects the new NOBELIUM components as the following malware:
Alerts with the following titles in the Security Center can indicate threat activity on your network:
Apply these mitigations to reduce the impact of this threat.
EventTracker Priority 1 (P1) Alerts
All the above detection mechanisms will ensure that NOBELIUM variants are detected and reported in real time.