Groups Similar Look up By Text Browse About



Similar articles
Article Id Title Prob Score Similar Compare
208780 ZDNET 2021-5-28:
Microsoft warns of current Nobelium phishing campaign impersonating USAID
1.000 Find similar Compare side-by-side
208746 ARSTECHNICA 2021-5-28:
SolarWinds hackers are back with a new mass campaign, Microsoft says
0.973 0.694 Find similar Compare side-by-side
208731 THEVERGE 2021-5-28:
Microsoft warns of ‘sophisticated’ Russian email attack targeting government agencies
0.941 0.664 Find similar Compare side-by-side
208808 TECHREPUBLIC 2021-5-28:
SolarWinds hackers resurface to attack government agencies and think tanks
0.911 0.622 Find similar Compare side-by-side
209019 ARSTECHNICA 2021-5-30:
The SolarWinds hackers aren’t back—they never went away
0.380 0.546 Find similar Compare side-by-side
208900 ZDNET 2021-5-26:
Emails landing in junk due to Microsoft Office 365 'change'
0.002 0.497 Find similar Compare side-by-side
208729 ZDNET 2021-5-27:
This phishing attack is using a call centre to trick people into installing malware on their Windows PC
0.059 0.451 Find similar Compare side-by-side
208909 ZDNET 2021-5-27:
Fake human rights organization, UN branding used to target Uyghurs in ongoing cyberattacks
0.448 Find similar Compare side-by-side
208625 ZDNET 2021-5-25:
Iranian hacking group Agrius pretends to encrypt files for a ransom, destroys them instead
0.382 Find similar Compare side-by-side
208753 ZDNET 2021-5-28:
Researchers find four new malware tools created to exploit Pulse Secure VPN appliances
0.352 Find similar Compare side-by-side
208573 ARSTECHNICA 2021-5-25:
It’s ransomware, or maybe a disk wiper, and it’s striking targets in Israel
0.351 Find similar Compare side-by-side
209118 ZDNET 2021-5-31:
Microsoft wants to unite APAC governments with cybersecurity council
0.346 Find similar Compare side-by-side
208924 ZDNET 2021-5-27:
FBI issues warning about Fortinet vulnerabilities after APT group hacks local gov’t office
0.332 Find similar Compare side-by-side
209120 ZDNET 2021-5-31:
Brazil approves stricter legislation to tackle online crime
0.328 Find similar Compare side-by-side
208587 ZDNET 2021-5-25:
Microsoft adds more developer hooks into Teams, Microsoft 365
0.323 Find similar Compare side-by-side
208710 ZDNET 2021-5-25:
Java developers: Microsoft's OpenJDK build is now generally available
0.322 Find similar Compare side-by-side
208890 ZDNET 2021-5-27:
Various Japanese government entities had data stolen in cyber attack: Report
0.319 Find similar Compare side-by-side
208488 VENTUREBEAT 2021-5-25:
Tessian nabs $65M to solve cybersecurity’s ‘people problem’
0.318 Find similar Compare side-by-side
208745 TECHREPUBLIC 2021-5-28:
Microsoft touts biggest change to Outlook since 1997 with shared calendar improvements
0.314 Find similar Compare side-by-side
208705 ZDNET 2021-5-25:
Not as complex as we thought: Cyberattacks on operational technology are on the rise
0.310 Find similar Compare side-by-side
208709 ZDNET 2021-5-25:
Microsoft to make coding 'in plain English' easier with PowerFx and GPT-3 AI model
0.304 Find similar Compare side-by-side
208560 TECHREPUBLIC 2021-5-25:
Microsoft Teams Speed Dial feature aims to bring "one tap dialing" to mobile devices
0.300 Find similar Compare side-by-side
208524 VENTUREBEAT 2021-5-25:
Microsoft adds enterprise data from Salesforce, others to Windows search bar
0.298 Find similar Compare side-by-side
208599 ZDNET 2021-5-25:
Microsoft adds enterprise support for PyTorch AI on Azure
0.298 Find similar Compare side-by-side
208516 VENTUREBEAT 2021-5-25:
Microsoft unveils developer-focused Teams, Outlook, and Search updates
0.298 Find similar Compare side-by-side

1

ID: 208780

URL: https://www.zdnet.com/article/microsoft-warns-of-current-nobelium-phishing-campaign-impersonating-usaid/

Date: 2021-05-28

Microsoft warns of current Nobelium phishing campaign impersonating USAID

Russian-backed group gained control of email marketing platform used by USAID to ramp up its attacks. Microsoft has warned that Nobelium is currently conducting a phishing campaign after the Russian-backed group managed to take control of the account used by USAID on the email marketing platform Constant Contact. The phishing campaign has targeted around 3,000 accounts linked to government agencies, think tanks, consultants, and non-governmental organisations, Microsoft said. The US had received most of the malicious email, but it had reached 24 countries at a minimum. " Nobelium launched this week's attacks by gaining access to the Constant Contact account of USAID," Microsoft corporate vice president of customer security and trust Tom Burt said. "From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network." Burt added that many of the emails were blocked, and there is no reason to think the attacks involve any vulnerability in Microsoft products. The campaign was discovered in February, and Microsoft observed how Nobelium was changing its approach to getting its malicious code onto victim computers, a post from the Microsoft Threat Intelligence Center (MTIC) said. In one instance, if a Nobelium-controlled server detected an Apple iOS device, it served up a WebKit universal cross site scripting vulnerability. Apple said on Wednesday it was aware of the vulnerability being actively exploited. " In the May 25 campaign, there were several iterations. In one example the emails appear to originate from USAID, while having an authentic sender email address that matches the standard Constant Contact service," MTIC said. "This address (which varies for each recipient) ends in @in.constantcontact.com ... and a Reply-To address of was observed. " Once the link is clicked, a malicious ISO is delivered that contains a decoy document, a shortcut, and a malicious DLL with a Cobalt Strike Beacon loader that Microsoft has named NativeZone. If the shortcut is run, the DLL is executed and Nobelium is off to the races. " The successful deployment of these payloads enables Nobelium to achieve persistent access to compromised machines," MTIC said. "Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware." MTIC added the Cobalt Strike Beacons use port 443 to call out to command and control infrastructure, and provided an indicators of compromise list in its post. "It's clear that part of Nobelium's playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem," Burt said. "This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organisations." Burt called for rules related to how nations operating online, and for there to be consequences for violations. " Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace," he said. Nobelium has been best known for the SolarWinds supply chain hack that saw a backdoor planted in thousands of organisations before cherrypicking nine US federal agencies and about 100 US companies to actually compromise and steal information from. Microsoft has previously called out pieces of malware used by the group. Mimecast said in March some of its source code and customer records was taken as part of the SolarWinds attack.