{"id":99621,"date":"2021-10-25T00:01:18","date_gmt":"2021-10-25T07:01:18","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=99621"},"modified":"2023-09-14T11:44:36","modified_gmt":"2023-09-14T18:44:36","slug":"nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/25\/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks\/","title":{"rendered":"NOBELIUM targeting delegated administrative privileges to facilitate broader attacks"},"content":{"rendered":"
The Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity<\/a> associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations (referred to as \u201cservice providers\u201d for the rest of this blog) that have been granted administrative or privileged access by other organizations. The targeted activity has been observed against organizations based in the United States and across Europe since May 2021. MSTIC assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve. NOBELIUM is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor\u2019s compromise-one-to-compromise-many approach. Microsoft has notified known victims of these activities through our nation-state notification process and worked with them and other industry partners to expand our investigation, resulting in new insights and disruption of the threat actor throughout stages of this campaign.<\/p>\n Microsoft has observed NOBELIUM targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems. These attacks are not the result of a product security vulnerability but rather a continuation of NOBELIUM\u2019s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts. These attacks have highlighted the need for administrators to adopt strict account security practices and take additional measures to secure their environments.<\/p>\n In the observed supply chain attacks, downstream customers of service providers and other organizations are also being targeted by NOBELIUM. In these provider\/customer relationships, customers delegate administrative rights to the provider that enable the provider to manage the customer\u2019s tenants as if they were an administrator within the customer\u2019s organization. By stealing credentials and compromising accounts at the service provider level, NOBELIUM can take advantage of several potential vectors, including but not limited to delegated administrative privileges (DAP), and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access. To reduce the potential impact of this NOBELIUM activity, Microsoft encourages all of our partners and customers to immediately review the guidance below and implement risk mitigations, harden environments, and investigate suspicious behaviors that match the tactics described in this blog. MSTIC continues to observe, monitor, and notify affected customers and partners through our nation-state notification process. Microsoft Detection and Response Team (DART) and Microsoft Threat Experts have also engaged directly with affected customers to assist with incident response and drive better detection and guidance around this activity.<\/p>\n A key trait of NOBELIUM\u2019s ongoing activity over the last year has been the abuse of indirect paths and trust relationships to target and gain access to victims of interest for intelligence gain. In the most recent campaign, this has manifested in a compromise-one-to-compromise-many approach\u2014exploiting the service providers’ trust chain to gain broad access to multiple customer tenants for subsequent attacks. NOBELIUM leverages established standard business practices, to target downstream customers across multiple managed tenants. These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators. If NOBELIUM has compromised the accounts tied to delegated administrative privileges through other credential-stealing attacks, that access grants actors like NOBELIUM persistence for ongoing campaigns.<\/p>\n In one example intrusion chain observed by MSTIC during this campaign, the actor was observed chaining together artifacts and access across four distinct providers to reach their end target. The example demonstrates the breadth of techniques that the actor leverages to exploit and abuse trust relationships to accomplish their objective.<\/p>\n <\/p>\n Figure 1: Example intrusion conducted by NOBELIUM demonstrating nested access across variety of methods.<\/em><\/p>\n Microsoft assesses that organizations, such as cloud service providers and other technology organizations who manage services on behalf of downstream customers, will be of continued interest to persistent threat actors and are at risk for targeting via a variety of methods, from credential access to targeted social engineering via legitimate business processes and procedures. For additional information on how to identify and triage delegated administrative privileges, see the mitigations and recommendations below.<\/p>\n Microsoft recommends that cloud service providers, other technology organizations with elevated privileges for customer systems, and all downstream customers of these organizations review and implement the following actions to help mitigate and remediate the recent NOBELIUM activity.<\/p>\n All Microsoft partners should review and verify overall compliance status with the partner security requirements<\/a> through the Microsoft Partner Center. Microsoft recommends the following:<\/p>\n To improve security, Microsoft recommends that partners remove delegated administrative privileges that are no longer in use. Starting in November, a new reporting tool<\/a> will be available that identifies and displays all active delegated administrative privilege connections and will help organizations to discover unused delegated administrative privileges connections. This tool will provide reporting that captures how partner agents are accessing customer tenants through those privileges and will allow partners to remove the connection when not in use.<\/p>\n Carry out additional investigations if you think you might have been affected to determine the full scope of compromised users\/assets. Microsoft recommends the following:<\/p>\n It is important to consider and implement a least-privilege approach. Microsoft recommends prioritizing a thorough review and audit of partner relationships<\/a> to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or have not yet been audited.<\/p>\n MFA is the best baseline security hygiene method to protect against threats. Follow the detailed guidance on setting up multifactor authentication<\/a> in Microsoft 365, as well as the guidance on deploying and configuring conditional access policies<\/a> in Azure Active Directory (Azure AD).<\/p>\n We encourage all organizations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies. For organizations relying on a third-party organization, work with them to understand their logging strategy for all administrative actions and establish a process should logs need to be made available during an incident.<\/p>\n Unique indicators (e.g., specific IPs, domains, hashes) have limited value in detecting global NOBELIUM activity because the indicators are mostly compartmented by campaign and specific to the targeted organization. They also regularly obfuscate their attack by shifting infrastructure and maintain very tight operational security around their campaigns. Despite this, the following behaviors and characteristics are common to NOBELIUM intrusions and should be reviewed closely during investigations to help determine if an organization has been affected:<\/p>\n For Microsoft customers using Azure Sentinel, Microsoft 365 Defender, Microsoft Cloud App Security, or registered partners taking advantage of the free two year subscription of Azure Active Directory Premium Plan 2<\/a>, any of the following in-product detections, investigation guidance, and hunting queries can help organizations accelerate their investigations into this activity.<\/p>\n Azure Sentinel customers can use the following detection queries to look for this activity:<\/p>\n Name<\/strong>: Azure VM Run Command operations executing a unique PowerShell script Name<\/strong>: Azure VM Run Command operation executed during suspicious login window Name<\/strong>: Azure Portal Sign-in from another Azure Tenant Name<\/strong>: Azure VM Run Command executed from Azure IP address Name<\/strong>: Azure VM Run Command linked with MDE Name<\/strong>: Dormant Service Principal Update Creds and Logs In Name<\/strong>: Dormant User Update MFA and Logs In Microsoft 365 Defender provides detection for one of the cloud persistence techniques commonly used by NOBELIUM. That persistence technique relies on maintaining access to victims\u2019 mail system through the modification of permissions and addition of hidden credentials that allow the attacker to access emails remotely. This alert is based on a combination of multiple signals and telemetry that originates from Microsoft Cloud App Security and is triggered either based on the risk score of the account involved or based on the suspicious IP address used to access emails.<\/p>\n Detection Name<\/strong>: Suspicious Addition of an Exchange related App Role Review and audit users and accounts and their activities<\/strong>: Microsoft Cloud App Security provides a quick page to enumerate all the users and accounts but filtering specifically to find \u201cexternal\u201d users with admin privilege. Once these users and accounts are identified, Cloud App Security can assist to review some of the activities performed and recent sign-ins and risk score.<\/p>\n <\/p>\n Microsoft Cloud App Security also provides detection coverage for some of the NOBELIUM techniques mentioned in earlier sections of this blog, including detection of post-exploitation activities related to manipulation of privileged credentials and a new detection for password-spray typically used to obtain initial foothold.<\/p>\n Detection Name: <\/strong>Activity from password-spray associated IP address Detection Name: <\/strong>Unusual addition of credentials to an OAuth app Detection Name<\/strong>: Unusual ISP for an OAuth app Azure Defender provides detections for abuse of legitimate virtual machine extensions once an attacker has obtained token or valid credentials. Through deep analysis of Azure activity logs, Azure Defender analyzes every call made by authenticated and authorized principals and calculates a likelihood score to determine suspicious intent of the operation and detect it.<\/p>\n Detection Name<\/strong>: Suspicious Run Command invocation detected Microsoft continues to track NOBELIUM\u2019s activities<\/a>, tactics<\/a>, malware<\/a>, and tools<\/a>. \u00a0We will communicate any additional insights and recommendations as we investigate their actions against our customers. We reinforce\u00a0the importance of best\u00a0practice\u00a0security precautions\u00a0such as Zero-trust architecture and multi-factor authentication\u00a0and their\u00a0importance\u00a0for everyone.\u00a0Additional information on best practice security priorities\u00a0is\u00a0listed below:<\/p>\n The Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations.<\/p>\n","protected":false},"author":117,"featured_media":99726,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[3702,3703],"threat-intelligence":[3727],"tags":[3898,3828,3926],"coauthors":[3380],"class_list":["post-99621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","products-microsoft-entra","products-microsoft-entra-id","threat-intelligence-attacker-techniques-tools-and-infrastructure","tag-elevation-of-privilege","tag-midnight-blizzard-nobelium","tag-token-theft"],"yoast_head":"\nPost-exploitation patterns against downstream targets<\/h2>\n
Mitigation and remediation<\/h2>\n
If you are a cloud service provider or an organization who relies on elevated privileges<\/h3>\n
1. Verify and monitor compliance with Microsoft Partner Center security requirements<\/h4>\n
\n
2. Remove delegated administrative privileges (DAP) connection when not in use<\/h4>\n
\n
3.\u00a0 Conduct a thorough investigation and comprehensive response.<\/h4>\n
\n
If you are a downstream customer<\/h3>\n
1.\u00a0 Review, audit, and minimize access privileges and delegated permissions<\/h4>\n
\n
2. Verify multi-factor authentication (MFA) is enabled and enforce conditional access policies<\/h4>\n
3. Review and audit logs and configurations<\/h4>\n
\n
Observed behaviors and TTPs<\/h2>\n
\n
Detection and Investigation through Advanced Hunting queries<\/h2>\n
Azure Sentinel<\/h3>\n
Detections<\/h4>\n
\nDescription<\/strong>: This query identifies when the Azure Run command is used to execute a unique PowerShell script on a virtual machine. The uniqueness of the PowerShell script is determined by taking a combined hash of the cmdlets it imports and the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed in your environment.
\nURL<\/strong>: https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Detections\/AzureActivity\/RareRunCommandPowerShellScript.yaml<\/a><\/p>\n
\nDescription<\/strong>: This query identifies when the Azure Run command execution event is associated with a user and IP Address that has recently been associated by an Azure Sentinel UEBA user entity behavior alert.
\nURL<\/strong>: https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Detections\/MultipleDataSources\/RunCommandUEBABreach.yaml<\/a><\/p>\n
\nDescription<\/strong>: This query looks for sign-in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner.
\nURL<\/strong>: https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Detections\/SigninLogs\/AzurePortalSigninfromanotherAzureTenant.yaml<\/a><\/p>\nHunting Queries<\/h4>\n
\nDescription<\/strong>: This query identifies any Azure VM Run Command operation executed from an Azure IP address. The Run Command allows an attacker or legitimate user to execute arbitrary PowerShell on a target VM.
\nURL<\/strong>: https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Hunting%20Queries\/AzureActivity\/AzureRunCommandFromAzureIP.yaml<\/a><\/p>\n
\nDescription<\/strong>: This query identifies any Azure VM Run Command operations and links these operations with MDE host logging. Logging from AzureActivity provides the IP address and user name of the account that invoked the command. The MDE data provides insights into what cmdlets were loaded by the command.
\nURL<\/strong>: https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Hunting%20Queries\/MultipleDataSources\/AzureRunCommandMDELinked.yaml<\/a><\/p>\n
\nDescription<\/strong>: This query look for Service Principal accounts that are no longer used where a user has added or updated credentials for them before logging in with the Service Principal.
\nURL<\/strong>: https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Hunting%20Queries\/MultipleDataSources\/DormantServicePrincipalUpdateCredsandLogsIn.yaml<\/a><\/p>\n
\nDescription<\/strong>: This query looks for user accounts that have not been successfully logged into recently, who then have a MFA method added or updated before logging in.
\nURL<\/strong>: https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Hunting%20Queries\/MultipleDataSources\/DormantUserUpdateMFAandLogsIn.yaml<\/a><\/p>\nMicrosoft 365 Defender<\/h3>\n
\nDescription<\/strong>: Addition of an Exchange related application role was observed. An account that can authenticate against an application service principal may also be able to access Exchange data and email. This alert was triggered based on another Microsoft Cloud App Security alert related to the potentially compromised user account.<\/p>\nMicrosoft Cloud Application Security<\/h3>\n
\nDescription: <\/strong>This detection compares IP addresses performing successful activities in your cloud applications to IP addresses identified by Microsoft\u2019s threat intelligence sources as recently performing password spray attacks. It alerts about users that were victims of password spray campaigns and managed to access your cloud applications from those malicious IPs.<\/p>\n
\nDescription: <\/strong>This detection identifies the suspicious addition of privileged credentials to an OAuth app, based on baseline behavior of activities learned by the product. This can indicate that an attacker has compromised the app, and is using it for malicious activity.<\/p>\n
\nDescription: <\/strong>This detection profiles your environment and triggers alerts when OAuth apps perform activities from an unusual ISP, which could indicate an attempted breach using a non-genuine OAuth provider.<\/p>\nAzure Defender<\/h3>\n
\nDescription<\/strong>: Azure Defender for Resource Manager identified a suspicious Run Command invocation in your subscription. Azure Run Command is a feature designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, an attacker with sufficient permissions can utilize Run Command to execute malicious code on your virtual machine. This activity is deemed suspicious as the user rarely invokes operations that enable code execution. This can indicate the account is compromised and is being used with malicious intent.<\/p>\n\n