{"id":99621,"date":"2021-10-25T00:01:18","date_gmt":"2021-10-25T07:01:18","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=99621"},"modified":"2023-09-14T11:44:36","modified_gmt":"2023-09-14T18:44:36","slug":"nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/25\/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks\/","title":{"rendered":"NOBELIUM targeting delegated administrative privileges to facilitate broader attacks"},"content":{"rendered":"

The Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity<\/a> associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations (referred to as \u201cservice providers\u201d for the rest of this blog) that have been granted administrative or privileged access by other organizations. The targeted activity has been observed against organizations based in the United States and across Europe since May 2021. MSTIC assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve. NOBELIUM is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor\u2019s compromise-one-to-compromise-many approach. Microsoft has notified known victims of these activities through our nation-state notification process and worked with them and other industry partners to expand our investigation, resulting in new insights and disruption of the threat actor throughout stages of this campaign.<\/p>\n

Microsoft has observed NOBELIUM targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems. These attacks are not the result of a product security vulnerability but rather a continuation of NOBELIUM\u2019s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts. These attacks have highlighted the need for administrators to adopt strict account security practices and take additional measures to secure their environments.<\/p>\n

In the observed supply chain attacks, downstream customers of service providers and other organizations are also being targeted by NOBELIUM. In these provider\/customer relationships, customers delegate administrative rights to the provider that enable the provider to manage the customer\u2019s tenants as if they were an administrator within the customer\u2019s organization. By stealing credentials and compromising accounts at the service provider level, NOBELIUM can take advantage of several potential vectors, including but not limited to delegated administrative privileges (DAP), and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access. To reduce the potential impact of this NOBELIUM activity, Microsoft encourages all of our partners and customers to immediately review the guidance below and implement risk mitigations, harden environments, and investigate suspicious behaviors that match the tactics described in this blog. MSTIC continues to observe, monitor, and notify affected customers and partners through our nation-state notification process. Microsoft Detection and Response Team (DART) and Microsoft Threat Experts have also engaged directly with affected customers to assist with incident response and drive better detection and guidance around this activity.<\/p>\n

Post-exploitation patterns against downstream targets<\/h2>\n

A key trait of NOBELIUM\u2019s ongoing activity over the last year has been the abuse of indirect paths and trust relationships to target and gain access to victims of interest for intelligence gain. In the most recent campaign, this has manifested in a compromise-one-to-compromise-many approach\u2014exploiting the service providers’ trust chain to gain broad access to multiple customer tenants for subsequent attacks. NOBELIUM leverages established standard business practices, to target downstream customers across multiple managed tenants. These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators. If NOBELIUM has compromised the accounts tied to delegated administrative privileges through other credential-stealing attacks, that access grants actors like NOBELIUM persistence for ongoing campaigns.<\/p>\n

In one example intrusion chain observed by MSTIC during this campaign, the actor was observed chaining together artifacts and access across four distinct providers to reach their end target. The example demonstrates the breadth of techniques that the actor leverages to exploit and abuse trust relationships to accomplish their objective.<\/p>\n

\"Example<\/p>\n

Figure 1: Example intrusion conducted by NOBELIUM demonstrating nested access across variety of methods.<\/em><\/p>\n

Microsoft assesses that organizations, such as cloud service providers and other technology organizations who manage services on behalf of downstream customers, will be of continued interest to persistent threat actors and are at risk for targeting via a variety of methods, from credential access to targeted social engineering via legitimate business processes and procedures. For additional information on how to identify and triage delegated administrative privileges, see the mitigations and recommendations below.<\/p>\n

Mitigation and remediation<\/h2>\n

Microsoft recommends that cloud service providers, other technology organizations with elevated privileges for customer systems, and all downstream customers of these organizations review and implement the following actions to help mitigate and remediate the recent NOBELIUM activity.<\/p>\n

If you are a cloud service provider or an organization who relies on elevated privileges<\/h3>\n

1. Verify and monitor compliance with Microsoft Partner Center security requirements<\/h4>\n

All Microsoft partners should review and verify overall compliance status with the partner security requirements<\/a> through the Microsoft Partner Center. Microsoft recommends the following:<\/p>\n

    \n
  1. Ensure multifactor authentication (MFA) is in use and conditional access policies are enforced<\/strong>: All Microsoft partners are required to use MFA to access Partner Center and for cross-tenant access to customer tenants in Microsoft commercial clouds. Partners are advised to check their security compliance in Partner Center<\/a> and monitor if any user logins or API calls are not compliant with MFA enforcement. Partners should stay compliant<\/a> at all times.<\/li>\n
  2. Adopt the Secure Application Model Framework<\/strong>: All partners integrating with Partner Center APIs must adopt the Secure Application Model framework<\/a> for any app and user auth model applications.<\/li>\n
  3. Check the Partner Center Activity Logs<\/strong>: partners are advised to regularly check the “Activity Log” in Partner Center<\/a> to monitor any user activities, including high privileged user creations, high privileged user role assignment, etc. Partners can also use Partner Center Activity Log APIs<\/a> to create a custom security dashboard on key user activities in Partner Center to proactively detect suspicious activities.<\/li>\n<\/ol>\n

    2. Remove delegated administrative privileges (DAP) connection when not in use<\/h4>\n

    To improve security, Microsoft recommends that partners remove delegated administrative privileges that are no longer in use. Starting in November, a new reporting tool<\/a> will be available that identifies and displays all active delegated administrative privilege connections and will help organizations to discover unused delegated administrative privileges connections. This tool will provide reporting that captures how partner agents are accessing customer tenants through those privileges and will allow partners to remove the connection when not in use.<\/p>\n

      \n
    1. We are offering service providers a free two year subscription of Azure Active Directory Premium Plan 2<\/a><\/strong> to further help them manage and get reports on access privileges. Registered partners can log onto Partner Center to take advantage of this offer<\/a>. Azure AD Premium Plan 2 provides extended access to sign-in logs and premium features such as Azure AD Privileged Identity Management (PIM) and risk-based Conditional Access capabilities to strengthen security controls.<\/li>\n<\/ol>\n

      3.\u00a0 Conduct a thorough investigation and comprehensive response.<\/h4>\n

      Carry out additional investigations if you think you might have been affected to determine the full scope of compromised users\/assets. Microsoft recommends the following:<\/p>\n

        \n
      1. Review the Azure AD Security Operations Guide<\/a> to audit or establish your security operations<\/strong>. If you are a cloud service provider or an organization that relies on elevated privileges, you need to assess the security implications in your network and its connectivity for your customers. In particular, review authentications that are associated with Azure AD configuration changes using the Microsoft 365 compliance center<\/a> (formerly in the Exchange admin center) or Azure AD admin logs<\/a>.<\/li>\n
      2. Adequate log retention procedures for cloud-based resources are critical to effectively identify, respond to, and remediate malicious activity<\/strong>. Cloud service providers and other technology organizations often configure individual subscriptions to meet specific customer requirements. These configurations might not include security controls that enable full accountability to administrative actions should an incident occur. We encourage all organizations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies.<\/li>\n
      3. General Incident response playbooks for Phishing and Password spray<\/a> are available in Microsoft Security Best Practices.<\/li>\n<\/ol>\n

        If you are a downstream customer<\/h3>\n

        1.\u00a0 Review, audit, and minimize access privileges and delegated permissions<\/h4>\n

        It is important to consider and implement a least-privilege approach. Microsoft recommends prioritizing a thorough review and audit of partner relationships<\/a> to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or have not yet been audited.<\/p>\n

          \n
        1. Review, harden, and monitor all tenant administrator accounts<\/strong>: All organizations should thoroughly review all tenant admin users, including those associated with Administer On Behalf Of (AOBO)<\/a> in Azure subscriptions and verify the authenticity of the users and activity. We strongly encourage the use of strong authentication for all tenant administrators, review of devices registered for use with MFA, and minimize the use of standing high-privilege access. Continue to reinspect all active tenant admin users accounts and check audit logs on a regular basis to verify that high-privilege user access is not granted or delegated to admin users who do not require these to do their job.<\/li>\n
        2. Review service provider permissions access from B2B and local accounts<\/strong>: In addition to using the delegated administrative privilege capabilities, some cloud service providers use business-to-business (B2B) accounts or local administrator accounts in customer tenants. We recommend that you identify whether your cloud service providers use these, and if so, ensure those accounts are well-governed, and have least-privilege access in your tenant. Microsoft recommends against the use of \u201cshared\u201d administrator accounts. Review the detailed guidance<\/a> on how to review permissions for B2B accounts.<\/li>\n<\/ol>\n

          2. Verify multi-factor authentication (MFA) is enabled and enforce conditional access policies<\/h4>\n

          MFA is the best baseline security hygiene method to protect against threats. Follow the detailed guidance on setting up multifactor authentication<\/a> in Microsoft 365, as well as the guidance on deploying and configuring conditional access policies<\/a> in Azure Active Directory (Azure AD).<\/p>\n

          3. Review and audit logs and configurations<\/h4>\n
            \n
          1. Review and audit Azure AD sign-ins and configuration changes<\/strong>: Authentications of this nature are audited and available to customers through the Azure AD sign in logs<\/a>, Azure AD audit logs<\/a>, and the Microsoft 365 compliance center<\/a> (formerly in the Exchange Admin Center). We recently added the capability to see sign-ins by partners who have delegated admin permissions. You can see a filtered view of these sign-ins by navigating to the sign-in logs in the Azure AD admin portal<\/a>, and adding a filter \u2018Cross-tenant access type: Service provider\u2019 on the \u2018User-sign ins (non-interactive)\u2019 tab.\"TBA\"<\/li>\n
          2. Review Existing Log Availability and Retention Strategies<\/strong>: Investigating activities conducted by malicious actors places a large emphasis on having adequate log retention procedures for cloud-based resources including Office 365. Various subscription levels have individualized log availability and retention policies which are important to understand prior to forming an incident response procedure.<\/li>\n<\/ol>\n

            We encourage all organizations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies. For organizations relying on a third-party organization, work with them to understand their logging strategy for all administrative actions and establish a process should logs need to be made available during an incident.<\/p>\n

            Observed behaviors and TTPs<\/h2>\n

            Unique indicators (e.g., specific IPs, domains, hashes) have limited value in detecting global NOBELIUM activity because the indicators are mostly compartmented by campaign and specific to the targeted organization. They also regularly obfuscate their attack by shifting infrastructure and maintain very tight operational security around their campaigns. Despite this, the following behaviors and characteristics are common to NOBELIUM intrusions and should be reviewed closely during investigations to help determine if an organization has been affected:<\/p>\n