The recent attacks on Microsoft partners by Russian nation-state actor Nobelium are understandably concerning. The same threat actors behind the SolarWinds attack in 2020, Nobelium are trying to enter the technology supply at all levels, targeting resellers and partners that provide cloud services. The direct access partners have to customer’s environments gives these attackers a way into various systems, all at once.
Nobelium: Who They Are, Tactics and Success Rates
So, just how are Nobelium getting users to fall victim to these attacks? With many thinking the most obvious way for them to this is through exploiting a flaw or vulnerability in a customer’s environment, their methods are more traditional than this with the use of password spraying and phishing.
Microsoft have seen more attacks in the last four months from Nobelium, than from all other nation state actors in the past three years and have been identified as being part of the Russia Foreign intelligence service known as the SVR.
With this sheer volume of attacks gaining a lot of attention from businesses, what does this mean for the service providers who deliver the affected technologies as well as their customers? In our recent YouTube video, we explore this with our CEO, Chris Piggott and Infrastructure Manager, Dean Murray. Chris and Dean run through the recent Nobelium attacks in detail and what that means for partners and customers of Microsoft. Then taking looking at how this affects MSPs, partners and customers outlining what they need to know to secure against these targeted attacks. You can watch the video here or read below for a run through of what was discussed.
Partners: Why Does This Matter to You?
Minimising the impact of the Nobelium attacks to your customers is paramount. Their reliance on you to react and adapt is now coming into play meaning now is the time to take the right steps to increase security, removing as much risk from your customers as possible.
Top Tips Microsoft Partners Can Follow to Secure Against Nobelium Targeted Attacks
Set up MFA on all accounts and conditional access. Inclusive of device and user identity, this will enhance your customer’s security and protect what is important by applying the right access controls.
Move to the Secure Application Model Framework for all API queries. With some of the Partner Centre elements potentially being exposed through API, this is an effective way to make your customers less vulnerable.
Regularly review the Partner Centre activity logs. Keep an eye out for high privileged account creations or high privileged role assignments. A custom security dashboard can be created so you can proactively monitor and detect malicious activity.
Take advantage of the free Azure Premium P2 offered to partners. This includes risk based conditional access and privileged identity management.
Review all your log retention and review them routinely. Ensure you familiarise yourself with their contents and what ‘normal’ looks like in your customer’s organisation.
Remove delegated administrative privileges where no longer required. Microsoft now offer a new reporting tool that will aid you in doing this.
Customers: Why Does this Matter to You?
As a customer these attacks directly affect you and your business. It is important to note that if you take Office 365, Azure and other Microsoft services through a provider, that they are taking all the necessary steps to secure access and protect your systems. Here’s what else you as a business can be doing.
Top Tips Microsoft Partners Can Follow to Secure Against Nobelium Targeted Attacks
Review all partner relationships inside the tenancy. This includes removing any legacy relationships.
Ensure all tenant admin accounts have strong passwords and review all devices associated with MFA.
Minimise the use of standardising with high privilege access for administrative users.
Review all local accounts inside each tenancy. Some providers may create these, so it is important to review and remove any that are no longer required.
Enforce MFA and conditional access. The importance of MFA to business security is ever growing with accounts 99.9% less likely to be compromised if MFA is in place.
Know where your Azure AD sign-in logs are located. Review the service provider sign ins by using the Cross-Tenant access type: Service provider.
Due to the sheer volume of these attacks, implementing the above steps quickly is strongly advised. However, ensure you seek guidance from your provider if you are not sure of them at any point. Whilst Microsoft have made steps, through working with their partners to limit the impact of the Nobelium attacks, they are still making further steps to improve their security. With this in mind, if you are concerned, it is important you stay in touch with your provider, to confirm they are also continually assessing and improving the security of the technologies they supply to you.
Want to find out more about the products and services affected? Get in touch.
Recent Posts:
MSP Tips: Eliminate Challenges, Increase Productivity
MSP Tips: How to Maximise Your Product Offering and Widen Your Customer Base
