Amazon Sidewalk WiFi Share

Starting June 8, Amazon will automatically enable a feature on its family of hardware devices, including Echo speakers, Ring Video Doorbells, Ring Floodlight Cams, and Ring Spotlight Cams, that will share a small part of your Internet bandwidth with nearby neighbors — unless you choose to opt-out.

To that effect, the company intends to register all compatible devices that are operational in the U.S. into an ambitious location-tracking system called Sidewalk as it prepares to roll out the shared mesh network in the country.

Originally announced in September 2019, Sidewalk is part of Amazon’s efforts to build a long-range wireless network that leverages a combination of Bluetooth and 900 MHz spectrum (FSK) to help Echo, Ring, Tile trackers, and other Sidewalk-enabled devices communicate over the internet without Wi-Fi.

Sidewalk is designed to extend the working range of low-bandwidth devices, and help devices stay connected even if they are outside the range of a user’s home Wi-Fi network. It achieves this by pooling together a small sliver of internet bandwidth from the participating devices to create what’s a shared network.

password auditor

The mechanism that undergirds Sidewalk is conceptually analogous to how Apple leverages its huge installed base of Apple devices to help locate lost devices using its Find My network. But Sidewalk also extends beyond location tracking for virtually any kind of short-range two-way communication. Besides utilizing Bluetooth Low Energy (BLE), Sidewalk also makes use of long-range wireless technology known as LoRa to help devices stay connected and continue to work over longer distances.

By flipping the switch on Sidewalk in the U.S. for all capable devices by default, the idea is to co-opt millions of smart home devices into the network and provide near-ubiquitous connectivity out of the range of a standard Wi-Fi network.

Sidewalk’s Privacy and Security Protections

Elaborating on the protections baked into Sidewalk, the retail and entertainment behemoth said that packets traversing through the network are secured by three layers of encryption, and that it has safeguards in place to prevent unauthorized devices from joining by using Sidewalk credentials created during device registration process to authenticate their identities.

Amazon Sidewalk WiFi Share

“Sidewalk protects customer privacy by limiting the amount and type of metadata that Amazon needs to receive from Sidewalk endpoints to manage the network,” the company said in a white paper, while stressing that Sidewalk has been implemented with security protocols to prevent disclosure of private information and any commands that may be transmitted over the network.

Each transmission between an endpoint (say, leak sensors, door locks, or smart lights) and its respective application server is also identified by a unique transmission-ID (TX-ID) that changes every 15 minutes to prevent tracking devices and associating a device to a specific user.

That said, Sidewalk does need to know a third-party Sidewalk-enabled device’s serial number to route the message to its respective application server. “The routing information that Amazon does receive for operating the network components of Sidewalk is automatically cleared every 24 hours,” it added. Amazon also noted in the whitepaper that endpoints reported as lost or stolen will blocklisted.

While the security guarantees of the undertaking are without a doubt a step in the right direction, it’s been established repeatedly that wireless technologies like Bluetooth and Wi-Fi are prone to critical flaws that leave devices vulnerable to a variety of attacks, and a proprietary communication protocol like Sidewalk could be no exception. This is setting aside the possibility that the technology could be abused as surveillance tools to discreetly track a partner and encourage stalking.

How to Opt-Out and Turn Off Amazon Sidewalk?

A matter of more concern is that Sidewalk is opt-out rather than opt-in, meaning users will be automatically enrolled into Sidewalk unless they choose to explicitly turn it off.

In an FAQ on the Sidewalk page, Amazon says that should users opt to disable the feature, it’s tantamount to “missing out on Sidewalk’s connectivity and location related benefits,” adding “You also will no longer contribute your internet bandwidth to support community extended coverage benefits such as locating pets and valuables with Sidewalk-enabled devices.”

Owners of Echo and Ring devices can elect to opt-out of the device-to-device network either via Alex or Ring apps by following the below steps:

  • Alexa app: Open More > select Settings > Account Settings > Amazon Sidewalk, and toggle it on/off
  • Ring app: Tap “three-lined” menu > Control Center > Sidewalk, and tap the slider button

SASE is all the rage, promising things IT leaders have long dreamed about, but a purist approach may create consequences.

Secure Access Service Edge (SASE) has been a hot topic since Gartner defined it as a new category of offerings combining wireless area network (WAN) capabilities with network security functions. Everyone agrees SASE makes sense conceptually, but when it comes to turning idealistic frameworks into realistic IT approaches, misconceptions abound. Here’s where SASE principles can be taken too far and where IT buyers may get a bit too starry-eyed. 

Misconception #1: SASE Mandates Zero Daisy Chains
Gartner’s 2019 Hype Cycle for Enterprise Networking included this warning statement about virtual machine service chains (also known as daisy chains) that can sometimes lead people astray:

“Software architecture and implementation matters. Be wary of vendors that propose to deliver services by linking a large number of features via [virtual machine] service chaining, especially when the products come from a number of acquisitions or partnerships. This approach may speed time to market but will result in inconsistent services, poor manageability, and high latency.”

Solution architecture is important, and yes, you want to minimize the number of daisy chains to reduce complexity. However, it doesn’t mean you cannot have any daisy chains in your solution. In fact, dictating zero daisy chains can have consequences — not for performance, but for security. 

SASE consolidates a wide array of security technologies into one service, yet each of those technologies is a standalone segment today — with its own industry leaders and laggards. Any buyer who dictates “no daisy chains” is trusting that one single SASE provider can (all by itself) build the best technologies across a constellation of capabilities that is only growing larger. Being beholden to one company is not pragmatic given that the occasional daisy chain greatly increases the ability to unite best-of-breed technologies under one service provider’s umbrella. Here are a few more reasons why daisy chains are needed: 

  • No single vendor, particularly a startup, can effectively deliver on all areas of SASE security with a level of product maturity, mastery, and best practices that businesses need and expect in today’s landscape of relentless attackers. SASE capabilities should be proven on the harsh cyber battlefield, and most startups don’t survive.
  • Any incremental complexity stemming from a strategically placed daisy chain or two should be managed by the provider and should not impact the customer. If a SASE platform performs above expectations, then why should the number of daisy chains matter?
  • “No daisy chains” implies technology acquisitions and large market consolidation, meaning a small number of very large SASE providers may have too much market power, stifling innovation and raising prices. That’s not always good for IT buyers.

Misconception #2: You Must Take an All-Cloud Approach With SASE
SASE revolves around the cloud and is undoubtedly about speed and agility achieved through cloud-deployed security. But SASE doesn’t mean the cloud is the only way to go and you should ignore everything else. Instead, IT leaders must take a more practical position, using the best technology given the situation and problem. For example, on-premises next-gen firewall appliances are usually still the best option for large offices where performance and total cost of ownership are the key goals. If your SASE approach is cloud-first but not cloud-only, make sure your solution follows suit. 

Misconception #3: SASE Will Solve All Your Security Problems
Don’t assume SASE is a total solution. SASE covers a lot of ground, but it does not cover all the technologies a company needs to secure a remote-work and multicloud environment. For example, cloud workload protection (CWP) and endpoint detection and response (EDR) are critical in securing user and cloud computing environments but are not part of the SASE framework. Although EDR is a primary technology for addressing ransomware, a skyrocketing threat vector, it is excluded from SASE because it does not require network traffic inspection to function. Rather, it’s an agent-based solution that monitors operating system activity and integrity.

Moreover, SASE addresses only the technology components of an effective security program, leaving out the experts required for 24/7 security monitoring and mature incident response. Without a dedicated team of security analysts, security technologies are ineffective — whether they are included in SASE or not. Professional skills are necessary to investigate threats and stop them before major damage is done.

Purity vs. Pragmatism
SASE is all the rage, promising the ideologies that IT leaders have dreamed about for years, but taking a purist approach may have consequences. Hardline expectations around daisy chains and the cloud should be softened in favor of maximizing security excellence and business outcomes. Likewise, SASE solutions need to be compared against the broader security and network strategy, seeing where it adds value and where it may still fall short. By taking a pragmatic approach, companies can make ideologies tangible, achieving agility and productivity with ready-made security.

Jay brings more than 20 years of security experience to Masergy as Director of Security Product Management. He is responsible for the product vision of Masergy’s managed security services and leads the product team on execution. Previously, Jay was Director of Security … View Full Bio

Recommended Reading:

More Insights

DMARC Email Security

Are you aware of how secure your domain is? In most organizations, there is an assumption that their domains are secure and within a few months, but the truth soon dawns on them that it isn’t.

Spotting someone spoofing your domain name is one way to determine if your security is unsatisfactory – this means that someone is impersonating you (or confusing some of your recipients) and releasing false information. You may ask, “But why should I care?” Because these spoofing activities can potentially endanger your reputation.

With so many companies being targeted by domain impersonators, email domain spoofing shouldn’t be taken lightly. By doing so, they could put themselves, as well as their clients, at risk.

Your domain’s security rating can make a huge difference in whether or not you get targeted by phishers looking to make money quickly or to use your domain and brand to spread ransomware without you knowing it!

Check your domain’s security rating with this Free DMARC Lookup tool. You may be surprised by what you learn!

How Do Attackers Spoof Your Domain?

The act of email spoofing involves an attacker using a forged identity of a legitimate source in order to impersonate another person or masquerade as an organization. The procedure can be carried out as follows:

  • Manipulating the domain name: Attackers can use your domain name to send emails to your unsuspecting recipients who can fall prey to their malicious intentions. Popularly known as direct-domain spoofing attacks, these attacks are especially harmful to a brand’s reputation and how your customers perceive your emails.
  • Forging the email domain or address: wherein attackers exploit loopholes in existing email security protocols to send emails on behalf of a legitimate domain. The success rate of such attacks is higher as attackers use third-party email exchange services to carry out their malicious activities that do not verify the origin of email sending sources.

Since domain verification was not built into the Simple Mail Transfer Protocol (SMTP), the protocol on which email is based, newer email authentication protocols, such as DMARC, provide greater security.

How Can a Low Domain Security Impact Your Organization?

As most organizations send and receive data through email, it is crucial that they use a secure connection in order to protect their brand. In the event of inadequate email security, it can lead to big problems for both enterprises and individuals. In terms of communication platforms, email is still the most widely used. Email sent out from a data breach or hack can be devastating for your organization’s reputation. Such spoofed emails can also facilitate the spread of malware, spyware, and spam. It is therefore imperative to re-examine how security is deployed within email platforms.

In 2020 alone, brand impersonation accounted for 81% of all phishing attacks, while a single spear-phishing attack resulted in an average loss of $1.6 million. Security researchers predict that this will double by the end of 2021. In turn, this increases the need for organizations to improve their email security as soon as possible.

In contrast to multinational businesses, small businesses and SMEs are still averse to the idea of implementing email security protocols. This is because it’s a common myth that SMEs do not fall on the potential target radar of cyber-attackers. Unfortunately, that isn’t true. Hackers target organizations based on the security vulnerabilities and problems of their email security, not on the size of the organization. Therefore, any organization with poor domain security might be a target.

Learn how you can get a higher domain security rating with this email security rating guide.

Leverage Authentication Protocols to Gain Maximum Domain Security

DMARC Email Security

While checking your domain’s email security rating, a low score can be due to the following factors:

  • You don’t have email authentication protocols like SPF, DMARC, and DKIM deployed within your organization
  • You have deployed the protocols but have not enforced them for your domain
  • You have errors in your authentication records
  • You have not enabled DMARC reporting to gain visibility on your email channels
  • Your emails in transit and server communication are not secured over TLS encryption with MTA-STS
  • You have not implemented SMTP TLS reporting to get notified on issues in email delivery
  • You have not configured BIMI for your domain to improve your brand recollection
  • You have not resolved SPF permerror with dynamic SPF flattening

All of these factors make your domain more vulnerable to email fraud, impersonation, and domain abuse.

PowerDMARC is your one-stop email authentication SaaS platform that brings all the authentication protocols (DMARC, SPF, DKIM, MTA-STS, TLS-RPT, BIMI) across a single pane of glass to make your emails safe again and improve your domain’s email security posture.

Its DMARC analyzer simplifies protocol implementation by handling all the complexities in the background and automating the process for domain users. Taking advantage of your authentication protocols in this way allows you to maximize the power of your security solutions.

Sign up for your free DMARC report analyzer today to get a high domain security rating and protection against spoofing attacks.

Siemens on Friday shipped firmed updates to address a severe vulnerability in SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs) that could be exploited by a malicious actor to remotely gain access to protected areas of the memory and achieve unrestricted and undetected code execution, in what the researchers describe as an attacker’s “holy grail.”

The memory protection bypass vulnerability, tracked as CVE-2020-15782 (CVSS score: 8.1), was discovered by operational technology security company Claroty by reverse-engineering the MC7 / MC7+ bytecode language used to execute PLC programs in the microprocessor. There’s no evidence that the weakness was abused in the wild.

password auditor

In an advisory issued by Siemens, the German industrial automation firm said an unauthenticated, remote attacker with network access to TCP port 102 could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.

“Achieving native code execution on an industrial control system such as a programmable logic controller is an end-goal relatively few advanced attackers have achieved,” Claroty researcher Tal Keren said. “These complex systems have numerous in-memory protections that would have to be hurdled in order for an attacker to not only run code of their choice, but also remain undetected.”

Not only does the new flaw allow an adversary to gain native code execution on Siemens S7 PLCs, but the sophisticated remote attack also avoids detection by the underlying operating system or any diagnostic software by escaping the user sandbox to write arbitrary data and code directly into protected memory regions.

Claroty, however, noted that the attack would require network access to the PLC as well as “PLC download rights.” In jailbreaking the PLC’s native sandbox, the company said it was able to inject a malicious kernel-level program into the operating system in such a way that it would grant remote code execution.

This is far from the first time unauthorized code execution has been achieved on Siemens PLCs. In 2010, the infamous Stuxnet worm leveraged multiple flaws in Windows to reprogram industrial control systems by modifying code on Siemens PLCs for cyber espionage and covert sabotage.

Then in 2019, researchers demonstrated a new class of attacks called “Rogue7” that exploited vulnerabilities in its proprietary S7 communication protocol to “create a rogue engineering station which can masquerade as the TIA to the PLC and inject any messages favourable to the attacker.”

Siemens is “strongly” recommending users to update to the latest versions to reduce the risk. The company said it’s also putting together further updates and is urging customers to apply countermeasures and workarounds for products where updates are not yet available.

Cybersecurity researchers have disclosed two new attack techniques on certified PDF documents that could potentially enable an attacker to alter a document’s visible content by displaying malicious content over the certified content without invalidating its signature.

“The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels,” said researchers from Ruhr-University Bochum, who have systematically analyzed the security of the PDF specification over the years.

The findings were presented at the 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021) held this week.

The two attacks — dubbed Evil Annotation and Sneaky Signature attacks — hinge on manipulating the PDF certification process by exploiting flaws in the specification that governs the implementation of digital signatures (aka approval signature) and its more flexible variant called certification signatures.

password auditor

Certification signatures also allow different subsets of modifications on the PDF document based on the permission level set by the certifier, including the ability to write text to specific form fields, provide annotations, or even add multiple signatures.

The Evil Annotation Attack (EAA) works by modifying a certified document that’s provisioned to insert annotations to include an annotation containing malicious code, which is then sent to the victim. On the other hand, the idea behind the Sneaky Signature attack (SSA) is to manipulate the appearance by adding overlaying signature elements to a document that allows filling out form fields.

“By inserting a signature field, the signer can define the exact position of the field, and additionally its appearance and content, the researchers said. “This flexibility is necessary since each new signature could contain the signer’s information. The information can be a graphic, a text, or a combination of both. Nevertheless, the attacker can misuse the flexibility to stealthily manipulate the document and insert new content.”

In a hypothetical attack scenario detailed by the academics, a certifier creates a certified contract with sensitive information while enabling the option to add further signatures to the PDF contract. By taking advantage of these permissions, an attacker can modify the contents of the document, say, to display an International Bank Account Number (IBAN) under their control and fraudulently transfer funds, as the victim, unable to detect the manipulation, accepts the tampered contract.

15 of 26 PDF applications evaluated by the researchers, counting Adobe Acrobat Reader (CVE-2021-28545 and CVE-2021-28546), Foxit Reader (CVE-2020-35931), and Nitro Pro, were found vulnerable to the EAA attack, enabling an attacker to change the visible content in the document. Soda PDF Desktop, PDF Architect, and six other applications were identified as susceptible to SSA attacks.

More troublingly, the study revealed that it’s possible to execute high-privileged JavaScript code — e.g., redirect the user to a malicious website — in Adobe Acrobat Pro and Reader by sneaking such code via EAA and SSA as an incremental update to the certified document. The weakness (CVE-2020-24432) was addressed by Adobe as part of its Patch Tuesday update for November 2020.

To fend off such attacks, the researchers recommend prohibiting FreeText, Stamp, and Redact annotations as well as ensuring that signature fields are set up at defined locations in the PDF document prior to certification, alongside penalizing any subsequent addition of signature fields with an invalid certification status. The researchers have also created a Python-based utility called PDF-Detector, which parses certified documents to highlight any suspicious elements found in the PDF document.

“Although neither EAA nor SSA can change the content itself – it always remains in the PDF – annotations and signature fields can be used as an overlay to add new content,” the researchers said. “Victims opening the PDF are unable to distinguish these additions from regular content. And even worse: annotations can embed high privileged JavaScript code that is allowed to be added to certain certified documents.”

Security vendor says it has observed threat groups using a set of 16 tools specifically designed to attack Pulse Secure devices since April 2020.

Multiple cyberthreat groups believed to be working in support of China’s long-term economic interests are continuing to hammer away at networks belonging to organizations across the defense, high-tech, government, transportation, and financial services sectors in the US and Europe.

FireEye’s Mandiant group this week reported it had responded to numerous intrusions where China-based threat actors compromised Pulse Secure VPN appliances to break into an organization’s network and steal sensitive data.

In many instances, the attackers took advantage of an authentication bypass vulnerability in the Pulse Connect Secure (PCS) appliance (CVE-2021-22893) and a combination of previously known vulnerabilities to gain initial access on a victim network. The authentication bypass flaw was discovered and patched last month — but only after attackers had begun exploiting it in the wild. However, Mandiant researchers were often unable to determine an initial access vector because the threat actors deleted or altered forensic evidence or the Pulse Secure appliance itself had gone through software updates that destroyed evidence of initial compromise.

Mandiant’s warning this week on the advanced persistent threat (APT) activity from China targeted at US and European companies is an update to a warning it had issued last month on the same issue. In that alert, Mandiant had reported on two China-based groups — UNC2630 and UNC2717 — using a battery of malware tools to target vulnerabilities in Pulse Secure VPN appliances. Mandiant said it had observed UNC2630 targeting organizations in the US defense industrial base and UNC2717 hitting an organization in the EU. The Mandiant report offered an analysis of 12 malware code families that the security vendor said it had observed the attackers using to specifically target vulnerabilities in Pulse Secure VPN appliances.

In this week’s report, Mandiant said it had uncovered four additional malware families — Bloodmine, Bloodbank, CleanPulse and RapidPulse — that appear specifically designed to exploit vulnerabilities in Pulse Secure VPN devices. That brings the total number of malware families that Mandiant says it has observed Chinese APT groups using to specifically target Pulse Secure VPNs since last April to 16.

“The exploitation activity we have observed is a mix of targeting unpatched systems with CVEs from 2019 and 2020, as well as a previously unpatched 2021 CVE (CVE-2021-22893),” says Stephen Eckels, reverse engineer at Mandiant. “Since our original report, Pulse Secure and Mandiant have worked together, and the zero-day has since been patched.”  

Similarly, other vulnerabilities that Pulse Secure’s parent Ivanti discovered as part of a code review have also been patched, he says.

“At this time, Pulse Secure has patched all known vulnerabilities,” Eckels says.

Once on a network, the attackers have employed different methods to achieve persistence and for lateral movement. In some instances, the attackers have established their own local admin accounts on strategic Windows servers and used that to operate freely within the victim network. They also have been exclusively using Pulse Secure webshells and malware to maintain presence rather than relying on backdoors on internal endpoints. With some attacks, the threat actors targeted individuals with privileged accounts by previously compromising unprivileged accounts belonging to the same individuals.

Strategic Goals
According to Mandiant, UNC2630 and UNC2717 are just two of multiple threat groups targeting Pulse Secure VPNs that appear to be working in the interests of the Chinese government. Several of the groups are using the same set of tools, but their tactics and techniques have tended to vary.

The main motivation appears to be to gather data that would help China achieve the objectives of its recent 14th Five Year Plan. Many of the victims are from industries that China considers to be of strategic importance, including high tech and defense. Mandiant says it has observed instances where the Chinese threat actors have stolen intellectual property with dual commercial and military applications.

So far, at least, there has been no evidence that the threat actors have stolen US data that would give Chinese companies an economic advantage. A 2012 agreement between President Barack Obama and Chinese counterpart Xi specifically prohibits cyber espionage involving such data. But that doesn’t mean they haven’t, says Ben Read, director of analysis at Mandiant threat intelligence.

“Right now we’re not able to say that they haven’t, just that we don’t have direct evidence that they have violated [the agreement],” he says. “Some of the affected entities are private companies that would have commercial intellectual property, the theft of which would violate the agreement. We just have not seen direct evidence of that type of data being staged or exfiltrated.”  

Mandiant’s report on the ferocious ATP activity from China coincides with a warning from Microsoft this week about a widespread email campaign by Nobellum, the Russian threat actor behind the SolarWinds attack. In both instances, the primary motive appears to be cyber espionage in support of strategic national goals.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

As more organizations make their way to the cloud, their eyes are wide open to the associated cybersecurity risks that tag along for the ride.

With the pandemic as their catalyst, enterprises had no choice but to take a “quantum leap forward” and migrate to the cloud, according to Osterman Research and Sonrai Security. For their “State of Enterprise Cloud Security Report: The Good, The Bad, The Ugly,” they turned to large enterprises, most of which are in the US and work in hybrid cloud environments, to learn about their biggest concerns. Here are their top five:

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Recommended Reading:

More Insights

A new study examines the tools and technologies driving investment and activities for security operations centers.

The complexity in managing security operations centers (SOCs) has spiked, survey data shows.

In its Second Annual Study on the Economics of Security Operations Centers, the Ponemon Institute found 81% of companies considered managing a SOC to be highly complex.

The survey of 682 SOC managers, security analysts, general security practitioners, IT managers, and directors who have a SOC in their organizations also revealed:

  • The ROI of SOC investments is decreasing. More than half (51%) of respondents say the ROI of the SOC is getting worse, compared to 44% in 2019.
  • Working in the SOC is stressful: 85% of respondents report their work is painful or very painful.
  • Despite the challenges, 80% of organizations feel their SOC is essential or very important compared to 73% in 2019.

The Dark Reading report Building the SOC of the Future examines the forces of change that are influencing the activities in today’s SOCs, as well as which tools and technologies security leaders are investing in to address an evolving threat landscape.

Read the full report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Microsoft shares the details of a wide-scale malicious email campaign attributed to Nobelium, the group linked to the SolarWinds supply chain attack.

The group behind last year’s SolarWinds supply chain attack is conducting an advanced and widespread email campaign that delivers malicious links while impersonating the US Agency for International Development (USAID), Microsoft reports.

Microsoft’s Threat Intelligence Center (MSTIC) says it has been tracking this Nobelium-operated campaign since January 2021 and it has evolved as the group experiments with new tactics. The phishing attack has so far targeted some 3,000 accounts at more than 150 organizations across several industry verticals. The victims span 24 countries, though most attacks aimed at the US.

Nobelium, a group connected to Russia, has historically targeted organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. In this case, Microsoft reports at least a quarter of targets work with international development, humanitarian, and human rights work.

Its newest campaign leverages Constant Contact, a legitimate mass-mailing service used for email marketing. Due to a high volume of emails distributed in this campaign, automated email threat detection marked many of the malicious emails as spam. However, some automated detection systems may have effectively delivered them due to configuration and policy settings.

Microsoft reports the attackers were able to gain control of the USAID Constant Contact account, allowing them to send seemingly authentic emails from USAID to thousands of victims. There were many iterations in the May 25 campaign; in one example, emails appear to come from USAID but have an authentic sender email address that matches Constant Contact.

“Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID,” wrote Tom Burt, corporate vice president for consumer security and trust at Microsoft, in a blog post. Burt noted Microsoft is in the process of notifying targeted customers and there is no indication these attacks use an exploit against, or flaw in, Microsoft products and services.

Use of Constant Contact allowed attackers to hide links behind the mailing service’s URL. Officials note many emails and document service providers offer a tool to simplify link sharing and provide information into who clicks these links and when.

When clicked, the email’s malicious link leads to delivery of an ISO file that contains a malicious LNK file, a malicious DLL file, and a legitimate lure referencing foreign threats to the 2020 US federal elections, Volexity researchers explain in a blog post on the threat published this week. Microsoft notes the DLL is a custom Cobalt Strike Beacon loader that it calls NativeZone.

If successfully deployed, these payloads let attackers remain persistent on compromised systems so they can move laterally, steal data, deploy additional malware, and infect other machines on the network.

“Microsoft security researchers assess that the Nobelium’s spearphishing operations are recurring and have increased in frequency and scope,” MSTIC wrote in a separate blog post sharing the details of this attack, as well as its evolution and mitigations. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.”

A Closer Look At Nobelium’s Strategy
This active campaign is notable for a few reasons, Burt explained. When considered along with the SolarWinds attack, it’s clear Nobelium aims to breach trusted technology providers and infect their customers.

“By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem,” Burt wrote.

While different from the attack on SolarWinds, this campaign underscores the consistency of cyber espionage. SolarWinds was notable for its stealth and discipline, but loud and widespread spear-phishing attacks were once a “calling card” of SVR operators who launched noisy phishing campaigns, says John Hultquist, vice president of analysis for Mandiant Threat Intelligence, who adds these attacks by Russia’s Foreign Intelligence Service often effectively gained access to major government offices and other targets.

“And while the spear-phishing emails were quickly identified, we expect that any post-compromise actions by these actors would be highly skilled and stealthy,” he points out. This newly identified campaign seems to have ramped up as the supply chain attacks were winding down, a sign these threats aren’t going away any time soon.

“Given the brazen nature of this incident,” Hultquist says, “it does not appear the SVR is prepared to throttle down on their cyberespionage activity.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights