CISA released an alert detailing the Microsoft Threat Intelligence Center’s (MSTIC) which highlighted a wave of attacks targeting government agencies. The attacks were launched by NOBELIUM,  and included the sending of phishing emails from an authentic USAID email address using the email marketing service, Constant Contact. The phishing emails included a link that would direct the user to a legitimate Constant Contact service but then redirect them, allowing malicious ISO file to be delivered to the system. Once delivered and executed on the client machine, the ISO file gives NOBELIUM access to data and the ability to deliver additional malware. These attacks began on May 25th and MSTIC expects them to evolve and continue. The recent attacks targeting Microsoft customers are said to have been mostly blocked. However, some of the earlier emails may have been delivered.

NOBELIUM is the same threat actor behind the 2020 Solarwinds attack and tends to use the trust of large-scale technology providers to gain access to networks. The group is currently targeting humanitarian and human rights organizations but we have seen similar actors target healthcare organizations and advise organizations to follow the mitigation recommendations outlined by MSTIC:

  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  • Enable multifactor authentication (MFA) to mitigate compromised credentials.
  • Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes.
  • Lastly, ensure your users execute safe email hygiene by not clicking on suspicious links or responding to emails from unknown or suspicious sources.