In a report, the ANSSI (French National Cybersecurity Agency) revealed that it has observed several phishing campaigns directed against French entities since February 2021. These compromised email accounts of French organizations were used to spread the malware and send malicious emails to foreign institutions and they have been ascribed to the Nobelium set.
Per the report, the French entities have also been recipients of malicious emails sent from compromised foreign institutions. The agency has attributed these attacks to the Nobelium intrusion set. The Russian-backed Nobelium hacking group is also responsible for last year’s SolarWinds attack.
According to Microsoft, Nobelium was active in October 2021. The intrusion set was possibly used during attack campaigns that target Active Directory Federation Services servers to compromise government bodies, think tanks, and private firms in the U.S. and Europe.
“The Microsoft Threat Intelligence Center (MSTIC) observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system,” Microsoft added.
Given the chain of compromise, which relies on the opening of a malicious file attachment as part of a phishing campaign, it is recommended that suspicious files are not executed.
The intrusion set tends to focus on Active Directory (AD) servers in particular. Tighter security measures should be applied. ANSSI has produced a guide containing recommendations for security hardening, which can be found on the CERT-FR website.
Mandiant, which has been tracking the Russian threat actor closely since the SolarWinds supply chain attack has shared a few observations in its report.
“In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts,” Mandiant said.
This reflects what has been reported in the French organizations’ case where the compromised emails are further used to launch attacks on foreign institutions – creating routes to access other victim environments.
The post Nobelium’s Phishing Campaign Targets French Entities appeared first on CISO MAG | Cyber Security Magazine.
Click to Open Code Editor