Mandiant researchers have identified two distinct clusters of activity, tracked UNC3004 and UNC2652, that were associated with the Russia-linked Nobelium APT group (aka UNC2452).
The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that conducted supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors.
NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.
The Nobelium cyberspies is using a new custom downloader tracked by the researchers as CEELOADER.
Mandiant researchers spotted multiple supply chain attacks carried out by the APT. Threat actors compromised service providers and used the privileged access and credentials belonging to the hacked providers to target their customers.
“Mandiant has identified multiple instances where the threat actor compromised service providers and used the privileged access and credentials belonging to these providers to compromise downstream customers.” reads the report published by Mandiant. “In at least one instance, the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP’s environment, which ultimately led to the compromise of internal domain accounts.”
The researchers also cited another breach where the threat actors gained access to the target organization’s Microsoft 365 environment using a stolen session token. The state-sponsored hackers used the CRYPTBOT password-stealer to harvest valid session tokens that were used to authenticate to the Microsoft 365 environment.
NOBELIUM cyberspies leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands within the target environments. Experts pointed out that the attackers used the protocols to perform reconnaissance, distribute Cobalt Strike beacons in the compromised network, and run native Windows commands to steal credentials.
Ceeloader is a custom downloader called written in C and supports the execution of shellcode payloads in memory.
“An obfuscation tool has been used to hide the code in CEELOADER in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling.” continues the report.
Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode. The researchers noticed that the loader does not implement a persistence mechanism.
In some campaigns analyzed by Mandiant, the threat actor was using residential IP address ranges to authenticate to target environments. The access was likely obtained through residential and mobile IP address proxy providers.
In other campaigns, the attacker provisioned a system within Microsoft Azure that was within close proximity to a legitimate Azure-hosted system belonging to the CSP that they compromised. Using this technique, the actor was able to establish geo-proximity with the victims to masquerade the source of the attack and make it as originating from within legitimate Azure IP ranges.
“The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise. Though Mandiant cannot currently attribute this activity with higher confidence, the operational security associated with this intrusion and exploitation of a third party is consistent with the tactics employed by the actors behind the SolarWinds compromise and highlights the effectiveness of leveraging third parties and trusted vendor relationships to carry out nefarious operations.” concludes the report.
(SecurityAffairs – hacking, NOBELIUM)