Posted on June 26, 2021 at 5:17 PM
Microsoft has reported that threat actors compromised its customer service agent’s device to launch attacks on its customers.
The tech giant stated that some of its customer support tools were infiltrated by a threat group known as Nobelium, which is linked to the SolarWinds attacks.
According to Microsoft, the attackers were able to compromise some of the devices after gaining access to the computer of a customer service agent.
The agent didn’t have full access to the systems but was able to access areas such as customers’ billing contact information and what services they used.
The threat actors used the information collected from the tools to launch “highly targeted” attacks on certain Microsoft customers.
Part of a larger hacking campaign
Microsoft says that the attack was part of an expansive attack launched by the Nobelium campaign, which is focused on governments and companies all over the world.
The company reiterated that it has contacted customers that were affected due to the incident and it has blocked access to the compromised device of the customer support agent.
Microsoft has stressed security as it prepares to release its Windows 11. It is serious about protecting the devices of users by making a case of having specific hardware during an upgrade to a higher Microsoft version. That way, it will be more difficult for threat actors to have any control over the systems remotely.
Microsoft says it’s still tracking the activities of the hackers and revealed that their attack on its customers was largely unsuccessful.
The threat actors were largely unsuccessful
The company reiterated that the threat actors couldn’t compromise most of their targets after managing to infiltrate three entities.
However, the report didn’t contain the names of the three compromised entities. It also didn’t mention whether the threat actors succeeded in getting their information from the compromised device of the customer support agent.
But the tech giant admitted that the device had access to certain details from a small number of customers and the threat actors exploited the info to launch their attacks.
As part of its investigation, Microsoft says it discovered an info-stealing malware on the devices of the customer support agent.
Microsoft says it’s still investigating the situation to understand the attack method deployed by the threat actor.
Microsoft said its quick response stopped the attackers from gaining massive control over customer details. It has also informed other targets via its nation-state notification process. US officials have linked Russia to the SolarWinds attack after previously linking Nobelium to Russia’s intelligence agency.
Microsoft discovered last month that the same threat actors have been executing an advanced email-based spear-phishing campaign on large corporations, non-governmental organizations, and government agencies.
Most targets are based in the U.S
The company noted that the threat group sent out malware-laden emails to targets after compromising the mass mailing service used by the USAID.
But this new campaign is slightly different when it comes to targets. While it still looks for NGOs and government organizations, it focuses more on IT companies
And like other past campaigns, the Nobelium threat group targeted organizations and companies based in the United States. While 30% of the targets are based in Canada, Germany, and the UK, 70% of the targets are in the U.S.
Also, Microsoft didn’t say whether the agent was a direct employee of the company or a contractor.
Customers asked to enable multi-factor authentication
Nobelium accessed the agent’s system in the second week of May, based on the warning notice received by Microsoft’s affected customers.
In the warning, the company told its customers to be wary of communications involving billing contacts. It also advised users to change their usernames and passwords to avoid being a victim of the attack. Additionally, Microsoft has asked users to enable multi-factor authentication to offer more security to their devices.
They should also use security best practices such as zero-trust architecture, which treats all users as potential threats until their details are properly recorded.
Additionally, Microsoft has added a new security feature, called a TPM, on its forthcoming Windows 11 billed to be released later this year.