Security News

Researchers said they've seen the threat group - which Microsoft refers to as "Nobelium" and which is linked to Russia's spy agency - compromising global business and government targets with novel tactics and custom malware, stealing data and moving laterally across networks. Researchers believe the threat actors acquired the credentials from an info-stealer malware campaign of a third party rather than one of their own, they said.

Stor-a-File, a British data capture and storage company, suffered a ransomware attack in August that exploited an unpatched instance of SolarWinds' Serv-U FTP software. "The medical company used Stor-a-file for the scanning of paper documents including medical records," our reader told us.

The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices. SolarWinds released an emergency security update in July 2021 after discovering a "a single threat actor" exploiting it in attacks.

The SolarWinds attackers - an advanced persistent threat known as Nobelium - have started a new wave of supply-chain intrusions, this time using the technology reseller/service provider community to attack their targets. "While the SolarWinds supply-chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government."

Russia's Nobelium group - fingered as being a Russian state actor by both the United States and Britain - has massively ramped up phishing and password spraying attempts against managed service providers and cloud resellers, Microsoft's security arm has warned. The Windows maker said the group's targeted attacks against "Resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers" had trebled over the past three months.

A month ago, the FBI, CISA and the U.S. Coast Guard Cyber Command warned that state-backed advanced persistent threat actors are likely among those who'd been actively exploiting a critical flaw in a Zoho-owned single sign-on and password management tool since early August. In a recent Threatpost podcast, George Glass, head of threat intelligence at Redscan - a subdivision of the Kroll responder team that manages detection and response - said that the incident has worried the firm's main clients, who are concerned that it could turn into a similar scenario to the the calamitous, widespread SolarWinds attacks in April.

Russia's SVR spy agency made off with information about US counterintelligence investigations in the wake of the SolarWinds hack, according to people familiar with the American government cleanup operation. The SVR was named and shamed in April by Britain and the US as the organisation that compromised the build systems of SolarWinds' network monitoring software Orion, used by 18,000 customers across the world.

Cybersecurity researchers on Wednesday disclosed a previously undocumented backdoor likely designed and developed by the Nobelium advanced persistent threat behind last year's SolarWinds supply chain attack, joining the threat actor's ever-expanding arsenal of hacking tools. "While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims," Kaspersky researchers said.

Kaspersky security researchers have discovered a new backdoor likely developed by the Nobelium hacking group behind last year's SolarWinds supply chain attack. The new malware found by Kaspersky, dubbed Tomiris, was first spotted in June even though the first samples were deployed in the wild in February 2021, one month before the "Sophisticated second-stage backdoor" Sunshuttle was found by FireEye and linked to Nobelium.

Researchers have discovered a campaign delivering a previously unknown backdoor they're calling Tomiris. Namely, Tomiris has a number of similarities to the Sunshuttle second-stage malware that was distributed by Nobelium.