Microsoft recently announced that the threat actor Nobelium continues to target government agencies, think tanks, consultants, and non-government organizations with cyber attacks.
According to Microsoft, Nobelium gained access to the Constant Contact email account at United States Agency for International Development (USAID), using that access to distribute phishing emails to unsuspecting organizations that appeared to be authentic USAID emails.
While information is still coming to light, there is a critical, basic step that all organizations should take to reduce their risk: monitor exposed credentials and prevent password reuse.
The two USAID email addresses in the Microsoft technical blog post both appear in Bitsight’s “exposed credentials” dataset, meaning that these usernames have been exposed in prior breaches. At least one of the usernames was also exposed in a breach involving plaintext passwords. In fact, Bitsight has observed that more than 55,000 USAID credentials have been exposed in 145 prior breaches. If the owners of these credentials reused a password involved in one of those prior breaches -- or used an easily-guessed variation of it -- an attacker would have the knowledge necessary to easily gain access to a system.
Cyber attacks rarely employ novel, never before seen techniques, like zero day attacks. It is far more common for attackers to acquire customizable tools or data available on the dark web to exploit a series of vulnerabilities and weak controls to wreak havoc. By diligently maintaining controls and focusing on the essentials -- including continuously monitoring for exposed credentials and enforcing controls preventing password reuse -- organizations can reduce the risk of breach.