A joint advisory by the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), FBI, and the National Security Agency (NSA), as well as the UK National Cyber Security Centre warned organizations about updated Tactics, Techniques and Procedures(TTPs) associated with SVR cyber actors. SVR cyber actors are known and tracked in open source as APT29, Cozy Bear, and the Dukes.
The SVR is Russia’s civilian foreign intelligence service. The group uses a variety of tools and techniques to predominantly target overseas governmental, diplomatic, think-tank, healthcare, and energy targets globally for intelligence gain.
“The SVR is a technologically sophisticated and highly capable cyber actor. It has developed capabilities to target organizations globally, including in the UK, US, Europe, NATO member states, and Russia’s neighbors”, said the alert.
Security Flaws Exploited by Hackers
The group seeks to take full advantage of a variety of exploits when publicised. The group have used:
- CVE-2018-13379 FortiGate
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-9670 Zimbra
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2019-7609 Kibana
- CVE-2020-4006 VMWare
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-21972 VMWare vSphere
The group will look to rapidly exploit recently released public vulnerabilities which are likely to enable initial access to their targets.
“Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage”.
The group has also scanned for Microsoft Exchange servers vulnerable to CVE-2021-26855. Such activity is typically followed by the use of further exploits and deployment of a webshell if successful. Other Microsoft Exchange exploits commonly used in conjunction with this CVE include:
- CVE-2021-26857 (SOAP payload)
- CVE-2021-26858 (Arbitrary files)
- CVE-2021-27065 (Arbitrary files)
The SolarWinds campaign demonstrates the actor’s willingness to target organisations that supply privileged software, such as network management or security applications, to many users or organisations.
NCSC and partner industry analysis shows that on multiple occasions, SVR actors used Cobalt Strike, a commercial Red Team command and control framework, to carry out their operations after initial exploitation.
NCSC observed that once SVR actors had gained initial access to a victim’s network, they then made use of the open-source Red Team command and control framework named Sliver.
The use of the Sliver framework was likely an attempt to ensure access to a number of the existing WellMess and WellMail victims was maintained. SVR operators often used separate command and control infrastructure for each victim of Sliver. SVR actors have used methods other than malware to maintain persistence on high-value targets, including the use of stolen credentials.
The advisory mention that SVR actors often target administrator mailboxes to acquire further network information and access. It is an effort to better understand the target network and obtain further privileges or credentials for persistence and/or lateral movement.
- Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors, and force them to use higher equity tooling to gain a foothold in the networks.
- Implementing good network security controls and effectively managing user privileges organizations will help prevent lateral movement between hosts.
- Detecting supply chain attacks, such as the Mimecast compromise, will always be difficult. An organization may be able to detect through heuristic detection methodologies such as the volume of emails being accessed or by identifying anomalous IP traffic.
- Ensure sufficient logging (both cloud and on-premises) is enabled and stored for a suitable amount of time, to identify compromised accounts, exfiltrated material, and actor infrastructure.
- Implement Microsoft’s new mailbox auditing action called ‘MailItemsAccessed’ which helps with investigating the compromise of email accounts.
- With ‘MailItemsAccessed’ enabled, administrators can identify almost every single email accessed by a user, giving organizations forensic defensibility to help assert which individual pieces of mail were or were not maliciously accessed by an attacker.