Nobelium, the Russian cyber-espionage group that allegedly orchestrated the SolarWinds supply chain attack, has continued to launch new attacks throughout 2021, using sophisticated methods to breach two-factor authentication in order to gain access to the accounts of some targets, according to It was found that Nobelium continued to launch new attacks throughout 2021, using sophisticated techniques to break through two-factor authentication to gain access to some target accounts.
Post-breach activity in the majority of the damage involved the theft of data related to Russian interests. In some cases, the theft of data was believed to have been done in order to build new routes to access other victims’ environments. Threat groups continue to introduce new techniques and methods to maintain persistent access to victims’ environments, hinder detection, and disrupt attribution.
The following information describes some of the tactics, techniques, and procedures (TTPs) used by threat actors, including initial penetration, establishing a foothold, data collection, and lateral movement; the ways in which threat actors provide infrastructure; and indicators of compromise. By sharing this information, organizations can raise awareness and strengthen their self-defense measures.
This technique, described in a published report, exploits the push notification feature of some online accounts.
Two-factor authentication (2FA) or multi-factor authentication (MFA) push notifications are used to receive a one-time code, usually via SMS or email, or a pop-up on your smartphone. It is notified by a popup that appears on the smartphone.
When a user logs into their account with valid credentials, a push notification will appear on their smartphone, showing details such as the type of device and IP address that is trying to access their account, and asking if they want to allow the operation.
While 2FA push notifications are not widely adopted, they are considered to be a safer method of 2FA than email or SMS because an attacker would need physical access to the victim’s smartphone to bypass it.
Mandiant researchers, however, said they had investigated several incidents in which they gained access to a user’s valid login credentials, repeatedly attempted to log into the account, and repeatedly triggered 2FA push notifications on the victim’s device until the target finally accepted the request. The announcement was made.
It is unclear whether these victims received the push notifications by accident, because they thought it might be a bug, or because they were simply annoyed.
Nobelium often uses IP proxies that are in the same region as the victim to avoid the target monitoring login requests from unknown IPs, which may be the reason why some of the victims accepted to log into the attacker’s account.
Nobelium continues to work with advanced technology
Nobelium is a sophisticated attack group that maintains “top-notch operational security and advanced technology,” according to a Mandiant report, and the SolarWinds hack would not be its only success story.
Mandiant also provides an overview of the group’s latest tactics and activities.
- Intrusion into multiple cloud providers and access to their respective customer systems from there
- Usage of login credentials believed to have been obtained on the black market by manipulating CRYPTBOT infostealer
- First quarter of 2021
- Using hacked accounts with application access to harvest sensitive email data
- Extracting virtual machines from compromised networks to verify internal routing settings
- A new malware named “CEELOADER” was the first stepping stone to the
- Used a new malware named “CEELOADER” as an initial stepping stone and later dropped a new malware binary
- Used an IP address band near the user’s residence to authenticate to the victim’s environment
- Used an Azure server for data collection and placed it in the same cloud zone as the victim’s network to avoid triggering security alerts. Geographically located in the same cloud zone as the victim’s network to avoid generating security alerts
- Using hacked WordPress sites to store malware
- Using Tor, VPN, and VPS servers to disguise the actual location when conducting reconnaissance and attacks
In April of this year, the White House officially announced the relationship between “Nobelium” and the Russian Foreign Intelligence Service (SVR).
Comments