NOBELIUM is Targeting IT Service Providers

Today the Microsoft Threat Intelligence Center (MSTIC) released a statement regarding the threat actor, NOBELIUM, who launched a campaign against cloud service providers (CSPs), managed service providers (MSPs) and other IT services organizations. By targeting IT providers, they are attempting to gain access to privileged customer accounts so they may move laterally throughout the cloud environment and gain access to downstream customers and systems.

Microsoft Recommendations to Protect Privileged Access

Microsoft recommends that customers that use service providers with elevated privileges review and implement the following actions to help mitigate and remediate the recent NOBELIUM activity.

1. Review, audit, and minimize access privileges and delegated permissions

• Review, harden, and monitor all tenant administrator accounts: All organizations should thoroughly review all tenant admin users, including those associated with Administer On Behalf Of (AOBO) in Azure subscriptions and verify the authenticity of the users and activity. We strongly encourage the use of strong authentication for all tenant administrators, review of devices registered for use with MFA, and minimize the use of standing high-privilege access. Continue to reinspect all active tenant admin users accounts and check audit logs on a regular basis to verify that high-privilege user access is not granted or delegated to admin users who do not require these to do their job.
• Review service provider permissions access from B2B and local accounts: In addition to using the delegated administrative privilege capabilities, some cloud service providers use business-to-business (B2B) accounts or local administrator accounts in customer tenants. We recommend that you identify whether your cloud service providers use these, and if so, ensure those accounts are well-governed, and have least-privilege access in your tenant. Microsoft recommends against the use of “shared” administrator accounts. Review the detailed guidance on how to review permissions for B2B accounts.

2. Verify multi-factor authentication (MFA) is enabled and enforce conditional access policies.

• MFA is the best baseline security hygiene method to protect against threats. Follow the detailed guidance on setting up multifactor authentication
  in Microsoft 365, as well as the guidance on deploying and configuring conditional access policies in Azure Active Directory (Azure AD).

3. Review and audit logs and configurations.

• Review and audit Azure AD sign-ins and configuration changes: Authentications of this nature are audited and available to customers through the Azure AD sign in logs, Azure AD audit logs, and the Microsoft 365 compliance center (formerly in the Exchange Admin Center). We recently added the capability to see sign-ins by partners who have delegated admin permissions. You can see a filtered view of these sign-ins by navigating to the sign-in logs in the Azure AD admin portal, and adding a filter ‘Cross-tenant access type: Service provider’ on the ‘User-sign ins (non-interactive)’ tab.
• Review Existing Log Availability and Retention Strategies: Investigating activities conducted by malicious actors places a large emphasis on having adequate log retention procedures for cloud-based resources including Office 365. Various subscription levels have individualized log availability and retention policies which are important to understand prior to forming an incident response procedure.

What does OneNeck do to keep our customers safe?

As noted in Microsoft’s statement, MSPs like OneNeck are primary targets of this type of cyberattack. To ensure we have appropriate protections, detections and response, we leverage the Center for Internet Security’s (CIS) Critical Security Controls which are a series of cybersecurity actions prioritized by their criticality in preventing cyberattacks. OneNeck completes a CIS Critical Security Control’s assessment annually, along with incorporating the controls as part of any new service.

While we assess against all the controls, we also adhere to other top priority controls:

• Inventory and control of hardware and software assets:Our ReliaCloud environment is maintained in secure data centers that meets or exceeds all physical and environmental controls (per our ISO/IEC 27001:2013 certification.) We complete regular scans of our environment to assure only known devices are within the environment, and we maintain a CMDB (Configuration Management Database), per ITIL good practices, for all managed devices and software.
• Vulnerability management:OneNeck continuously acquires, assesses and takes action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for attackers. Activities include:
  • Identifying vulnerabilities through vendor notifications, industry leading security research organizations and OneNeck’s own security testing program.
  • Completing regular authenticated scanning and determining the appropriate risk rating for the vulnerability type, the system’s usage and the impacted system’s architecture.
  • Closed loop activities are completed through automated software which ensures that operating systems are running the most recent security updates provided by the vendors.
• Controlled use of administrative privileges:OneNeck uses non-default and unique passwords for all assets within ReliaCloud. Privileged accounts are managed in a secure password management system. Additionally, OneNeck leverages a remote access system that requires multi-factor authentication and tracks all privileged access and activities.
• Secure configurations:OneNeck maintains security configuration standards for all authorized operating systems and software. We store all master images and templates on securely configured servers and assure that only authorized changes are made to the images.
• Monitoring and analysis of audit logs:OneNeck has local logging on all critical infrastructure, and ensures all appropriate logs are aggregated to a central log management system for analysis and review. OneNeck’s Security Operations Center (SOC) leverages our Security Information and Event Management (SIEM) platform which provides correlation and analysis of all presented logs. Additionally, our SOC monitors and is alerted on critical situations 24×7 to assure the security of all OneNeck environments, in particular ReliaCloud.

As identified in the CIS Controls, we annually use third-party penetration (pen) testers to ensure the controls put in place are effective. A recent pen test revealed OneNeck has “Strong External Network Security Controls” in place and that our systems and services are well-patched and maintained.

Additionally, we stay informed through various mechanisms (vendors, industry, governments, dark web monitoring, etc.) to ensure we are aware of any emerging threats, in particular against MSPs. In a recent release by the FBI, they identified most of the attacks involved compromised credentials, and from there pivoting between MSP and customer shared networks. The most common attack vectors include spear phishing, malicious web content and credential theft. We have multiple controls in place for email including requiring MFA, blocking phishing emails, alerting for risky sign-ins and impossible travel alerts, along with regular end user training and testing. Additionally, there is a whole series of controls we focus on as an MSP which include:

• Ensure MSP accounts are not assigned to administrator groups.
• Restrict MSP accounts to only the systems they manage.
• Ensure MSP account passwords adhere to organizational policies.
• Use a dedicated Virtual Private Network (VPN) for MSP connection.
• Restrict VPN traffic to and from MSP.
• Ensure internet-facing networks reside on separate physical systems.
• Separate internal networks by function, location, and risk profile.
• Use firewalls to protect server(s) and designated high-risk networks.
• Ensure internal and external Domain Name System (DNS) queries are performed by dedicated servers.
• Disable or block all network services that are not required at network boundary.

Along with all the controls we manage/review above, our annual attestations for SOC1 Type II, SOC2 Type II, and HIPAA, further validate our commitment to a secure environment.

We understand that maintaining a strong risk profile is daunting as the threat landscape continues to grow. But as your partner, we are here to help. Don’t go it alone. Talk to one of our experienced security specialists today.

Additional Resources: