NOBELIUM Demonstrates  Why Microsoft Is the Weakest Link

Microsoft platforms and products are ubiquitous. Government agencies and companies of all sizes and industries around the world rely on Microsoft software to get things done. They are also riddled with security weaknesses and vulnerabilities, which makes them a common--almost universal--vector for attacks. Microsoft is an Achilles heel that can make organizations vulnerable. 

Case in point: Microsoft recently reported new activity from NOBELIUM—the threat actor responsible for the SolarWinds attacks and that has been identified as part of the Russian foreign intelligence service SVR. While the information was presented as threat research, it also revealed that Microsoft platforms and tools were leveraged in the attacks and that Microsoft customers were compromised. 

There are two troubling takeaways from this. First, Microsoft took what was essentially a customer security advisory and framed it as threat research. The other takeaway--which is even more concerning--is that less than a year after the SolarWinds attacks, Microsoft apparently allowed the same threat actors to slip through again. Microsoft has become the gateway to execute these sophisticated cyber attacks.

This goes beyond Patch Tuesdays. I have talked a lot about the increasing threat from Russia and ransomware. I have also frequently talked about the risk that organizations are exposed to as a result of Microsoft flaws and vulnerabilities and the impact of coercing customers to use inferior Microsoft security products to protect against weaknesses that their platforms and software have introduced. This NOBELIUM news straddles those lines, though, and illustrates why Microsoft continues to be the weakest link for both cybercrime and nation-state cyber threats. 

From Russia, With Love

Many of the biggest attacks over the last 12 months have been tied to Russian threat actors as tensions rise in an ongoing Cyber Cold War. In spite of sanctions and warnings to Russia and coordinated efforts to strengthen defenses, attacks associated with Russia continue.

There has also been a steady pace of significant ransomware attacks, including recent attacks that have affected production of candy just before Halloween, disrupted NFL football broadcasts and local news across the country, and targeted the National Rifle Association (NRA).

Now, you can add the latest NOBELIUM attacks to that list as well. Whether the attacks are nation-state attacks from Russia itself, or state-sanctioned, state-condoned, or state-ignored attacks from cybercriminals, most of the attacks share a common attack vector: Microsoft.

The Weakest Link

The information shared by Microsoft about the new activity from NOBELIUM suggests that abuse of the Azure AD trust relationship and the Azure Cloud platform play a central role in the malicious activity. It also discloses that Microsoft is notifying affected customers and engaging to assist with incident response—implying that the attacks slipped past Microsoft security defenses. Without coming right out and saying it, Microsoft suggests that NOBELIUM got past their security controls and succeeded in compromising customers using Microsoft platforms and products. 

Microsoft vulnerabilities, poor security controls, and configuration errors provide opportunities for attackers and keep IT security teams scrambling to put out fires. It isn’t just vulnerabilities and exploits, though. A recent report from Google analyzed more than 80 million ransomware samples and found that 95% of them are simply Windows-based executables or dynamic link libraries (DLLs).

Admittedly, some of these things are not issues to be resolved and they are outside of Microsoft’s control. However, they all point to the fact that one way or another Microsoft plays a pivotal role in most cyber attacks.

Defenders Have to Defend

The line between cybercrime and cyber espionage continues to blur as this Cyber Cold War escalates between nation-states. Microsoft is frequently a common denominator for successful attacks—and it is organizations who are often caught in the crossfire. 

It’s impractical to just not use Microsoft products or platforms, but you also shouldn’t trust Microsoft to effectively protect your environment when they can’t even protect themselves. Customers should continue to put pressure on Microsoft to step up its efforts to identify and resolve vulnerabilities, and to develop more secure products in the first place. It’s also time to push back on the predatory E5 licensing and bundling of inferior security tools.  

In the end, defenders have to defend. Cybercriminals and nation-state adversaries will continue to adapt and find new tools and tactics, but with the right tools you can avoid getting caught in the crossfire and defend effectively against all threats—including the ones that target Microsoft weaknesses. 

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div