Microsoft on Friday had confirmed that the Customer-services agents tools have been compromised by SolarWinds Hackers and used them to launch the attack on the customer using Microsoft own tools on the users.
The Organization identified the response to the hacks during the initial stage of compromise. And warming messages has been communicated to the infected users. When these messages were first read by Reuters they confirmed that to a new Threat actor called Nobelium (Email-based attacks) and active since the second half of May.
Microsoft identifies Nobelium phishing activity that accessed the Microsoft customer services Subscriptions, mostly the attack activity was unsuccessful as per MS Threat Intelligence team. And the majority of the targets were not succeeded in the compromise. But the MS has warned all its customer through the Nation-State notification process.
As per the Threat Intelligence research from Microsoft, attackers mainly focused on the US, UK, Germany, Canada, and other 36 countries on compromising the data using their agent services.
Detailed Analysis
As per the investigation, Microsoft confirmed that they have observed the Information-stealing malware on the machine of its customer support agent who had limited access to the system and networks. And the threat actors of SolarWinds to launch the attacks highly targeted the broader campaign on the attacks, but it was found the systems were secured and removed the malware from the infected machines.
Once the attack was stopped and systems were secured, Microsoft reinforces the best security practice on Zero Trust architecture and 2-factor authentication as precautionary measures to protect their data.
Conclusion:
Microsoft recommends safeguarding from such attacks,
- Implementing the Zero-Trust model on the Network.
- Providing the users with least-privileged account access.
- Implementing with Two-Factor authentication techniques to access the network.
- Add an Identity access management.