The Cybersecurity and Infrastructure Security Agency (CISA), Microsoft, the FBI and many other agencies are engaged in addressing a spearphishing campaign targeting government organisations, intergovernmental organisations (IGOs), and non-governmental organisations (NGOs). A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute links to malicious URLs.
The spearphishing campaign was launched by the cyber threat actor, Nobelium, who were behind the infamous SolarWinds compromise back in 2020. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as Nobelium leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organisation and distribute malicious URLs to a wide variety of organisations and industry verticals.
Nobelium has historically targeted government organisations, NGOs, think tanks, military, IT service providers, health technology and research, and telecommunications providers.
This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.
Suggested Mitigations - CISA
Implement multi-factor authentication (MFA) for every account. While privileged accounts and remote access systems are critical, it is also important to ensure full coverage across SaaS solutions. Enabling MFA for corporate communications platforms (as with all other accounts) provides vital defense against these types of attacks and, in many cases, can prevent them.
Keep all software up to date. The most effective cyber security programs quickly update all of their software as soon as patches are available. If your organisation is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited.
Implement endpoint and detection response (EDR) tools. EDR allows a high degree of visibility into the security status of endpoints and is can be an effective tool against threat actors. Note: Organizations using Microsoft Defender for Endpoint or Microsoft 365 Defense should refer to Microsoft: Use attack surface reduction rules to prevent malware infection for more information on hardening the enterprise attack surface.
Implement centralised log management for host monitoring. A centralised logging application allows technicians to look out for anomalous activity in the network environment, such as new applications running on hosts, out-of-place communication between devices, or unaccountable login failures on machines. It also aids in troubleshooting applications or equipment in the event of a fault. CISA and the FBI recommend that organisations:
Forward logs from local hosts to a centralised log management server—often referred to as a security information and event management (SIEM) tool.
Ensure logs are searchable. The ability to search, analyse, and visualise communications will help analysts diagnose issues and may lead to detection of anomalous activity.
Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organisation can better triage an individual event and determine its impact to the organisation as a whole.
Review both centralised and local log management policies to maximise efficiency and retain historical data. Organisations should retain critical logs for a minimum of 30 days.
Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post-exploitation tools.
Implement unauthorised execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
Configure and maintain user and administrative accounts using a strong account management policy.
Use administrative accounts on dedicated administration workstations.
Limit access to and use of administrative accounts.
Use strong passwords. For more information on strong passwords, refer to CISA Tip: Choosing and Protecting Passwords and National Institute of Standards (NIST) SP 800-63: Digital Identity Guidelines: Authentication and Lifecycle Management.
Remove default accounts if unneeded. Change the password of default accounts that are needed.
Disable all unused accounts.
Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.