National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

Η Εθνική Ομάδα Αντιμετώπισης Ηλεκτρονικών Επιθέσεων προβλέπει την αύξηση της ηλεκτρονικής ασφαλείας ενισχύοντας την προστασία του κυβερνοχώρου των Εθνικών Κρίσιμων Πληροφοριακών Υποδομών, των τραπεζών και των παροχών επικοινωνίας της Κυπριακής Δημοκρατίας.

Russian state hackers switch targets after US joint advisories

10 Μαΐου 2021

Russian Foreign Intelligence Service (SVR) operators have switched their attacks to target new vulnerabilities in reaction to US govt advisories published last month with info on SVR tactics, tools, techniques, and capabilities used in ongoing attacks.

The warning comes after US and UK governments formally attributed the SolarWinds supply-chain attack and COVID-19 vaccine developer targeting to Russian SVR (aka APT29, Cozy Bear, and The Dukes) operators’ cyber-espionage efforts on April 15.

On the same day, the NSA, CISA, and the FBI informed organizations and service providers about the top five vulnerabilities exploited in SVR attacks against US interests.

In a third advisory issued on April 26, the FBI, DHS, and CIA warned of continued attacks coordinated by the Russian SVR against the US and foreign organizations.

The US federal agencies pointed out that SVR operators commonly use password spraying, exploit the CVE-2019-19781 vulnerability to obtain network access, and deploy WELLMESS malware on compromised systems.

Russian SVR’s response to US and UK advisories

Today, in a new NCSC(UK)-CISA-FBI-NSA joint security advisory [PDF], network defenders are warned to patch systems as promptly as possible to match the speed with which Russian SVR state hackers already changed targets following the April advisories.

“SVR cyber operators appear to have reacted […] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,” according to today’s US-UK joint advisory.

“These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses.

The Russian cyberspies have also begun scanning for Microsoft Exchange servers exposed to ProxyLogon attacks targeting the CVE-2021-26855.

In all, as US and UK cyber-agencies recently observed, the Russian SVR is exploiting multiple vulnerabilities including, but not limited to:

  • CVE-2018-13379 FortiGate
  • CVE-2019-1653 Cisco router
  • CVE-2019-2725 Oracle WebLogic Server
  • CVE-2019-9670 Zimbra
  • CVE-2019-11510 Pulse Secure
  • CVE-2019-19781 Citrix
  • CVE-2019-7609 Kibana
  • CVE-2020-4006 VMWare
  • CVE-2020-5902 F5 Big-IP
  • CVE-2020-14882 Oracle WebLogic
  • CVE-2021-21972 VMWare vSphere

Mitigation advice and guidance

“The SVR targets organizations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time-bound targeting, for example, COVID-19 vaccine targeting in 2020,” the joint advisory reads.

“Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage.”

At-risk government and privately-held organizations are urged to follow mitigation advice and guidance shared in the joint advisory and use Snort and YARA detection rules in the appendix to detect and defend against ongoing Russian SVR activity.

Below you can find a quick rundown of important mitigation measures for defending against these ongoing attacks:

  • Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors, and force them to use higher equity tooling to gain a foothold in the networks.
  • By implementing good network security controls and effectively managing user privileges, organizations will help prevent lateral movement between hosts. This will help limit the effectiveness of even complex attacks.
  • Detecting supply chain attacks, such as the Mimecast compromise, will always be difficult. An organization may detect this sort of activity through heuristic detection methodologies such as the volume of emails being accessed or by identifying anomalous IP traffic.
  • Organizations should ensure sufficient logging (both cloud and on-premises) is enabled and stored for a suitable amount of time to identify compromised accounts, exfiltrated material, and actor infrastructure.
  • Use Microsoft’s mailbox auditing action called ‘MailItemsAccessed’ to investigate the compromise of email accounts and identify emails accessed by users. This gives organizations forensic defensibility to help assert which individual pieces of mail were or were not maliciously accessed by an attacker.

CISA also published a summary of mitigation strategies [PDF] shared in the joint advisories issued during the last month to help secure networks against Russian SVR attacks.

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

ENISA: Cyber threats require heightened defences

#CyberSecMonth 2017 - Cyber Security in the Home