Microsoft recently revealed that an attacker gained access to a few customer service agents and launched a malicious hack against customers. The multinational technology company found this compromise while responding to hacks. These hacks are similar to the earlier breaches at SolarWinds and Microsoft.
Microsoft has taken appropriate action and informed all the customers that were affected by the hack. There was a warning from Microsoft that titled the hackers as NOBELIUM. It also stated that the breach happened sometime in the second half of May.
The warning read, “A sophisticated Nation-State associated actor that Microsoft identifies as NOBELIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions.” Microsoft continues to investigate this hacking group that used SolarWinds software updates to compromise networks belonging to 100 private companies and 9 U.S. agencies.
In a post referring to the hack, Microsoft said, “As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. In some cases, the actor used this information to launch highly targeted attacks as part of their broader campaign.”
The hackers were able to access the billing contact information of the infected agent. Microsoft has reportedly asked affected customers to change their usernames and email addresses. The tech giant has also barred those old usernames from logging in.
SolarWinds was affected by a supply chain attack that came to light in December last year. NOBELIUM hacked the Texas-based company and took control of its software build system. This allowed the hackers to send malicious updates to over 18,000 SolarWinds customers. Malwarebytes, an anti-malware provider, was also a victim of NOBELIUM. However, the hackers used a different vector which the company failed to identify.
Microsoft also revealed that the hackers targeted specific customers. About 57% affected were IT companies, 20% government organizations, and the remaining were think tanks, non-governmental organizations, and financial services. Most of the hack was focused on US interests, while 10% affected UK customers. A total of 36 countries were targeted, including Germany and Canada.
The company is yet to provide details about the duration of the compromised computers. It is still unknown if the compromise hit contractor devices on a home network or Microsoft-managed machines on a Microsoft network. Many security analysts were shocked by this disclosure.
Microsoft stated that the hackers used their employee accounts to access software instructions on their user identity verification process. Some complain that this breach was not as bad as the SolarWinds hack. At present, Microsoft is working with Homeland Security’s Cybersecurity Agency and interagency partners to assess the damage.
The SolarWinds breach was severe as multiple networks were penetrated. This means it will be difficult and expensive to secure the systems. With access to government networks, hackers could easily impersonate legitimate people. This one of the largest breaches in recent history, but it has put cybersecurity teams into action. FireEye, a private cybersecurity firm, was the first to notice the hack in their systems.
The CEO of FireEye, Kevin Mandia, said that this breach could accelerate cybersecurity changes. He explained that companies are now looking for hacks through their systems instead of reacting after the attack is found. This recent attack has led to the US government rearranging its cybersecurity efforts. They plan on making the Cyber Command independent from the National Security Agency.
Microsoft suggested security efforts for their users to inculcate. They encourage users to employ practices such as zero-trust architecture and multi-factor authentication. Microsoft also stated users have a security model that considers all users as potential threats until their identity is properly verified. Windows 11 will require a trusted platform module (TPM) which is a specific security feature. All users will need this platform mobile on their new and existing devices to upgrade.
