In an update on Friday, Microsoft said it found “information-stealing malware” on the machine of one of its support agents that had access to “basic account information for a small number of our customers”.
“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device,” the company said.
“The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust ’least privileged access’ approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure.”
Microsoft recommended using multi-factor authentication and zero trust architectures to help protect environments.
Redmond recently warned that Nobelium was conducting a phishing campaign impersonating USAID after it managed to take control of a USAID account on the email marketing platform Constant Contact.
The phishing campaign targeted around 3,000 accounts linked to government agencies, think tanks, consultants, and non-governmental organisations, Microsoft said.
In its Friday update, Microsoft said it has continued to see “password spray and brute-force attacks”.
“This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised – we are aware of three compromised entities to date,” it said.
“All customers that were compromised or targeted are being contacted through our nation-state notification process.”
“The latest cyberattack reported by Microsoft does not involve our company or our customers in any way.”
Solarwinds later reached out, stating neither the company, nor its customers were involved in any way.
Malware made its way through normal Microsoft driver signing process
In a second Friday post, Microsoft admitted a malicious driver has managed to get signed by the software giant.
“The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time,” the company said.
“The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.”
As a result of the incident, Microsoft said it would be “refining” its policies, validation, and signing processes.
Microsoft added the drivers would be blocked through its Defender applications.
While Microsoft called the malware a driver, Karsten Hahn of G Data, which discovered the Netfilter malware, labelled it as a rootkit.
“At the time of writing it is still unknown how the driver could pass the signing process,” he wrote.
Hahn said searching Virustotal produced sample signatures going back to March.
Netfilter has an update mechanism after hitting a particular IP address, installs a root certificate, and updates proxy settings, Hahn said.
Microsoft said for the attack to work, the attackers must have admin privileges for the installer to update registry keys and install the driver, or convince the user to do it themselves.
Updated at 8:54pm AEST, 29 June 2021: Added Solarwinds comment.
Related Coverage
Microsoft warns of current Nobelium phishing campaign impersonating USAIDJustice Department seizes domains used in Nobelium-USAID phishing campaignInnovation Oz Style: Take a world-leading secure kernel and kick it to the kerbBurnt by SolarWinds attack? US releases tool for post-compromise detectionMimecast reveals source code theft in SolarWinds hackMicrosoft: We’ve found three more pieces of malware used by the SolarWinds attackers