Security News > 2021 > December > SolarWinds Attackers Spotted Using New Tactics, Malware

Researchers said they've seen the threat group - which Microsoft refers to as "Nobelium" and which is linked to Russia's spy agency - compromising global business and government targets with novel tactics and custom malware, stealing data and moving laterally across networks.

Researchers believe the threat actors acquired the credentials from an info-stealer malware campaign of a third party rather than one of their own, they said.

Attackers have added a number of novel tactics, techniques and procedures to bypass security restrictions within environments, including the extraction of virtual machines to determine internal routing configurations, researchers wrote.

Other activity observed in the attacks includes using accounts with application impersonation privileges to harvest sensitive mail data, using residential IP proxy services and newly provisioned geo-located infrastructure to communicate with compromised victims, and abuse of multi-factor authentication to leverage "Push" notifications on smartphones, researchers said.

There is similar potential for widespread attack in the new clusters observed by Mandiant, researchers said.

Using a valid username and password combination, the researchers said that the attackers issued multiple MFA requests to an end user's legitimate device until the target accepted the authentication.

News URL

https://threatpost.com/solarwinds-attackers-new-tactics-malware/176818/