Protecting Your Organization Against the Nobelium Attacks

The UK’s National Cyber Security Centre has recently issued guidance to organizations in response to a series of attacks. This guidance was released following a notification in which Microsoft indicated that it had identified new activity tied to an Advanced Persistent Threat (Nobelium). Although this warning was issued specifically to those in the UK, the scope of the Nobelium attack was global and needs to be taken seriously by all organizations regardless of their geographic location.

In these attacks, Nobelium, the same cybercriminal gang that was responsible for the SolarWinds attack, used a combination of password spraying and brute force attacks to try to gain access to the systems that it was targeting. Although many of these attacks were ultimately unsuccessful, at least three organizations were compromised and Nobelium managed to install information stealing malware onto those systems. As such, both Microsoft and the National Cyber Security Centre recommend that organizations use multi-factor authentication.

Brute Force vs. Password Spray Attacks

Brute force techniques are a crude password cracking technique in which an attacker will try every possible character combination until they manage to find a password that works. Although brute force cracking is extremely inefficient, attackers have been able to use common password length and complexity rules as a way of reducing the number of passwords that they need to attempt. An attacker might for example, call an organization’s helpdesk posing as an end user and ask an “innocent” question such as “I’m about to change my password, how long does the new password need to be?”. The helpful helpdesk technician might respond by telling the attacker that the password needs to be at least eight characters long, and have a combination of uppercase letters, lower case letters, and numbers.

Once the attacker has that information in hand, they know that there is no need for their brute force attack to attempt to use seven character or shorter passwords. The attacker also knows that they can eliminate any potential password that does not meet the complexity rules. This greatly reduces the number of potential passwords, as well as the time required to perform a brute force attack.

In spite of these advantages, attackers often shy away from using brute force attacks. Such attacks can be extremely time consuming, and there is no guarantee of success. Additionally, there is a good chance that the attack will result in user accounts being locked out, thus halting the attack.

Password spray attacks were designed to overcome the disadvantages associated with brute force attacks. In a password spray attack, Over the years, hackers have compromised billions of user accounts and have compiled massive Dark Web databases containing these stolen credentials. By initiating a simple query against these databases, a hacker can easily discover which passwords users tend to use most often. These tend to be weak or easy to guess passwords such as P@ssw0rd or Monday1234.

In some ways, a spray attack is the opposite of a brute force attack. Rather than trying to crack one account by entering every possible password combination, a spray attack attempts to log into all of the organization’s accounts using a few passwords that are known to be especially common. In a large organization, there is a good chance that at least one user will be using one of these weak passwords. Additionally, if the attacker performs the spray slowly enough (for example, trying one password per day), they can usually avoid locking out the user’s accounts.

Defense from Attacks

So how can an organization best defend itself against password spray and brute force attacks? Both Microsoft and the National Cyber Security Centre advise enabling multi-factor authentication. Although the Windows operating system does natively support multi-factor authentication however, there are much stronger solutions available from third parties. Specops uReset, for example, enables multifactor authentication by leveraging a huge number of different identity providers. Better still, identity providers can be assigned a trust value. For instance, an admin might assign a low trust value to a consumer-oriented authentication service such as Google or LinkedIn, but link a higher trust value to biometric authentication. If a user needs to reset their password, they are can prove their identity using any of the authentication providers that they have enrolled with. If the user chooses to use low trust providers, the user may have to authenticate with several different providers in order to positively prove their identity. If on the other hand, the user authenticates with highly trusted providers, the user can prove their identity in far fewer steps.

Organizations should also use account lockout policies as a defense against brute force attacks. The down side to this however, is that if an attack does occur, an organization will likely end up with an increased volume of helpdesk calls due to the users who need their accounts to be unlocked. That’s why it is so important to have a self-service portal that a user can use to unlock their account. Specops uReset provides users with this capability. And just as a user must prove their identity prior to resetting their password, multifactor authentication is also used to confirm the identity of a user who needs for their account to be unlocked.

Specops Breached Password Protection Provides Defense Against Password Attacks

One more way that an organization can defend itself is to take advantage of Specops Breached Password Protection add-on. As previously noted, hackers have created sophisticated databases containing billions of stolen passwords. Because these passwords are integrated into password dictionaries (which are used in dictionary attacks), their use, even with a different account, poses a significant risk to the organization.

The Breached Password Protection add-on allows an organization to compare its user’s passwords against passwords that are known to have been compromised, thereby reducing the chances that an attacker will be able to use a stolen password to log into a user’s account. Furthermore, the Breached Password Protection add-on also includes information about the passwords that are being used in spray attacks as they are happening.

The reason why this is so important is because spray attacks aren’t necessarily limited to a single organization. In the case of the attack that led to the Microsoft and National Cyber Security Centre notification, multiple organizations were being targeted.

(Last updated on November 8, 2021)

Brien Posey writer

Written by

Brien Posey

Brien Posey is a freelance author and speaker, and 15-time Microsoft MVP with 20+ years of IT experience.

Back to Blog