Cybersecurity Threat Advisory: Nobelium Spear Phishing Activity

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory overview

Microsoft has been tracking a surge in spear-phishing activity conducted by Nobelium, the cyberattacking group behind the Sunburst backdoor exploit, as well as the Teardrop and GoldMax malware.

What is the threat?

Nobelium historically has targeted government organizations, think tanks, the military, information security (IT) service providers, telecom providers, and health and tech research companies. However, Microsoft’s Threat Intelligence Center (MSTIC) has tracked significant phishing activity targeting more than 3,000 individual email addresses. The phishing campaign is ongoing and utilizing the email service Constant Contact to distribute malicious emails to the masses while attempting to remain undetected. Nobelium uses the Constant Contact service to hide their malicious links behind the mailing service’s uniform resource locator (URL). MSTIC also has stated that the campaign seemed to evolve as it progressed.

Microsoft has identified that the campaign initially utilized Google’s Firebase platform to stage a malicious ISO[1] file, which eventually would be downloaded to the target machine. Another goal was to gain insight into the end user’s interaction with the email and embedded links by recording who clicked on the links.

According to MSTIC, the initial phase of the campaign did not compromise any systems, which indicates that the cyberattacker was conducting reconnaissance. Following the initial phase, Nobelium embedded its malicious ISO file into an HTML^[2] file attached to the email. When a user clicks on the attachment, JavaScript within the HTML document will mount the ISO file as a drive and eventually execute Cobalt Strike on the device. The group implemented additional changes to its campaign, such as decommissioning its use of Firebase and solely utilizing the embedded HTML document.

The latest iteration of the campaign spoofed the USAID^[3] domain (ashainfo@usaid.gov); has an authentic sender address following the standard Constant Contact addressing scheme, with the domain ending in “@in.constantcontact.com”; and specifies “mhillary@usaid.gov” as the reply-to address.

Why is it noteworthy?

Nobelium is a top-tier cyberattacker that previously exploited the SolarWinds Orion platform to compromise more than 18,000 organizations across the globe—it has proved that it is a very sophisticated and capable hacking group. Microsoft’s cited examples detailing evidence of evolution and experimentation are cause for concern, because Nobelium is attempting to remain undetected and implement more sophisticated means of compromising targeted systems.

What is the risk?

The campaign targeted 150 organizations and roughly 3,000 user accounts. Most of the emails were blocked by automated systems due to the high volume of outbound emails; however, some emails may have been delivered successfully to the recipients.

What are the recommendations?

Organizations should ensure that they utilize strong spam filtering and email protection; they also should continuously conduct training exercises to educate employees on how to spot, report, and act against phishing emails. Additionally, implementing alarms for, and blocking any of, the indicators of compromise (IOCs) provided by Microsoft in the first reference link below will indicate any traffic to the Cobalt Strike C2 servers or domains hosting the malware.

• Implement email protection
• Continuously educate employees on phishing attacks
• Ensure endpoint protection is up to date with the latest signatures
• Block IOCs provided by Microsoft

References

For more in-depth information about the recommendations, please visit the following links:

• https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
• https://i0.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2021/05/post-COVID-19-emails.png?ssl=1

^[1] International Organization for Standardization.

^[2] Hypertext Markup Language.

^[3] United States Agency for International Development.