"Microsoft Unravels One of NOBELIUM's Most Novel Cyber Attacks"

Microsoft has released a report detailing the first sighting of a Global Assembly Cache (GAC) implant in the wild. The new malware, called MagicWeb, developed by the Russian nation-state hacking group NOBELIUM, enables an attacker to authenticate under the guise of any user on a targeted network. The SolarWinds supply chain compromise in December 2020 is largely recognized as the most sophisticated nation-state cyberattack in history. Microsoft reports that NOBELIUM remains active, carrying out multiple malicious campaigns against government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks around the US, Europe, and Central Asia. According to Microsoft, nation-state attackers such as NOBELIUM seem to have unlimited financial and technical support from their sponsor, as well as access to advanced hacking techniques, techniques, and procedures (TTPs). NOBELIUM, unlike most malicious actors, changes their methods on nearly every machine they impact. Microsoft's security analysts say this actor highly values their operations, making few mistakes and frequently modifying their tactics to avoid detection. In August 2022, a Microsoft customer was infiltrated by MagicWeb, which NOBELIUM used to maintain persistent access to the compromised customer's environment. After observing unusual authentication requests, the customer contacted Microsoft's Detection and Response Team (DART). DART examined the incident and conducted multiple data-wrangling operations, as well as performed an in-depth data analysis to determine how the threat actor obtained access to the environment, installed the backdoor, and how the backdoor functioned. This article continues to discuss Microsoft's new report on one of NOBELIUM's most novel attacks. 

HSToday reports "Microsoft Unravels One of NOBELIUM's Most Novel Cyber Attacks"