Update on the Nobelium APT Attack Group

If you’re like me, you started your week by reading the Microsoft blog about Nobelium, an advanced-persistent-threat (APT) group that was actively targeting cloud service providers (CSPs) and managed services provider (MSPs) in a recent wave of supply chain attacks. Personally, I wasn’t terribly surprised. We all know by now that MSPs have a bullseye on them for adversaries wishing to target the supply chain. What’s different about this attack is the motive.

Without getting into the details of Nobelium’s previous activities, what you must realize is that their attacks are extremely strategic—and they play the long game. They’re not trying to break in and cause immediate harm; they want to establish persistence in an environment and begin to learn what—and more importantly whom—they have access to. They’ll then utilize this information to continue their attack towards their ultimate objective.

Microsoft has provided a wealth of information about these attacks, for which I thank them. They have proactively contacted targeted entities in an attempt to quickly contain these attacks. As an MSP, you may think you’re safe if you weren’t in the 600+ organizations notified by Microsoft as being targets over the last few months. However, I would encourage you to use this information as an opportunity to review your policies and configurations, as well as those of your customers, to understand how much risk you have based upon those elements.

For starters, I’d suggest you review your M365 environment:

• Do you have 2FA enabled for all users/applications?
• Does your conditional access policy allow legacy authentication?
• Do you have PowerShell enabled for your tenant? If so, is it locked down to specific accounts and controlled by conditional access?
• Do you have a password lockout policy configured?
• Do you have advanced threat protection enabled for your emails? If so, are you using safe attachment scanning?
• Do you have any systems exposed that are tied to Active Directory for authentication, but are single factor authentication?
• Are you performing periodic user reviews?
• Are you leveraging Microsoft Defender for Identity and monitoring those alerts?
• Do you have a process to investigate any suspicious findings?

My list could go on and on, but I encourage you to read the Microsoft blog, where they have a wealth of information on best practices around mitigation and remediation. For our MSPs, I would also recommend you review best practices around securing your N‑able solutions, as those systems have been and continue to be in the crosshairs of attackers. These practices include such steps as:

• Follow the principle of Least Privilege when assigning permissions.
• Ensure MFA is enabled and in use for all technician logins.
• For N‑able™ N‑central®, ensure you are up to date with the latest version.
• For N‑able RMM, ensure IP Address Restriction is in place for user login.
• For additional suggestions on hardening recommendations, see N‑central and RMM.

Securing these environments is our shared responsibility.