This week warned Microsoft of the activities of the hacking group “Nobelium”. Above all, it attacks service providers who set up and maintain cloud services for other companies. This scam is not entirely new: The same idea was behind the attack via software from Solarwinds at the turn of 2020/21 and the attack via Kaseya VSA on managed service providers and their customers in the summer. The pickpocket has to laboriously steal the change from people in the crowd of the market – and never knows how much is really in the stolen wallet. The bank robber takes the money specifically from where the people who have a lot of it bring it themselves.
Does this endanger the business model of the banks? No, even if there were never any spectacular coups. Does this endanger the MSP’s business model? The industry players polled by ChannelPartner in July say “no”. It remains to be seen whether they are right. What is certain, however, is that MSPs have to work more carefully than before. You have to be aware of your enormous responsibility and the possibilities that an attacker gets if he gains access to your systems.
Microsoft has since July 1st, according to its own statements, informed 609 customers of almost 23,000 attacks by the “Nobelium” group. The attackers were only successful in a “low single-digit percentage range” of their attempts. The attacks by Microsoft and Mandiant (until recently Fireeye) were discovered. According to Mandiant, the extent of the activity is less than at the end of last year, but the new approach gives cause for concern because the attackers use the channel to get to their goals. There are already casualties in North America and Europe and the attacks are continuing.
Mandiant has already investigated several attacks this year that exploited supply chain relationships between technology companies and their customers. “While malicious code was injected into legitimate software in the Solarwinds supply chain attack, most of the recent activity exploited stolen identities and technology solutions, service providers and resellers’ networks in North America and Europe,” said Charles Carmakal. Senior Vice President and CTO at Mandiant together. Ultimately, the goal is the networks of companies that are in the sights of the Russian government.
“This attack path makes it difficult for the companies affected to discover the attacks and to trace the activities of the hackers,” explains Carmakal. “First, the initial attack distracts from the real goals. In some cases, these are companies with more sophisticated cyber defenses. Instead, smaller technology partners with less sophisticated cyber defenses are targeted. Second, investigating these attacks requires collaboration and information sharing between them several companies affected, which is a challenge due to data protection concerns and operational confidentiality. “
Tenable criticizes the fact that those affected by the current attacks disregarded basic rules of cyber hygiene. The provider referred to a high-ranking US government official who described the recent attacks as “everyday operations” that “could have been prevented if the cloud service providers had implemented basic cybersecurity practices”.
“Those who thought Solarwinds was a one-time attack failed to see the signs of the times,” warns Amit Yoran, Chairman and CEO, Tenable. Unsurprisingly, the actors at the time are at work again. “This time, they are targeting resellers for Microsoft cloud services with a simple but large-scale attack. The attacks could have been prevented if the companies had taken basic cyber hygiene measures,” Yoran continued. These included, for example, multi-factor authentication, strict password guidelines and secure access management. “Once again, we find that no sophisticated, unprecedented technology was behind a major cyberattack,” comments Yoran. “It’s just the simple basics that still bother companies.”
According to Yoram, a relatively new development over the past twelve months is “the strategic and continuous focus on the software supply chain.” This is a direct indication of the significant security gaps in this area. The incident at Solarwinds only made it clear for the first time – but unfortunately it is not an isolated case.
more on the subject
What the Kaseya VSA cyberattacks mean for MSPs
Overview: solutions for remote monitoring and management
Solarwinds MSP becomes N-able
Managed services need the right people