The US/UK Governments Issue Cybersecurity Advisory on Russian Threat Actor Activity

The News:  A joint advisory was published on Friday, May 7, 2021 by the Cybersecurity & Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre, the FBI, and the NSA focused on Russian Foreign Intelligence Service (SVR) and their tactics, techniques and procedures used to target victims. These reports focus on threats posted by APT29, how its methods have evolved, and provides best practices to defend against the threat actor. Read the Joint Advisory here. The US/UK Governments Issue Cybersecurity Advisory on Russian Threat Actor Activity Analyst Take: This past Friday was a big day for cybersecurity advisories related to Russian Foreign Service (SVR) threat actors. The threat group APT29 has been attributed to Russia’s SVR and have operated since about 2008, largely targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 is also known by the names Dark Halo, StellarParticle, NOBELLIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, and Cozy Duke. In the recently issued joint advisory, the US and UK governments outlined tactics and techniques that the Russians are using in their hacking efforts and outlined how they are targeting their victims. In an earlier alert issued the week prior, SVR operations were outlined, along with trends and some recommended best practices for network defenders. These reports also provide more details on the SolarWinds attack spearheaded by those same Russian SVR threat actors. The SolarWinds attack saw malicious updates from compromised SolarWinds systems breaching hundreds of organizations – and we don’t yet know the full scope of the damage. Last year we also saw that same SVR group targeting vaccine R&D operations, which involved malware tracked as WellMesshttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c and WellMail. What caught my eye here and what is highlighted in the report is that threat actors embrace best practices for digital transformation. They are agile and adaptable. Once they are detected, they pivot. For instance, once the WellMess/WellMail breach was detected, APT29 pivoted. And this pivot was a really pretty brilliant. The threat actors began using Sliver, which is a security testing tool developed by Bishop Fox, an offensive security assessment firm. Sliver is a legitimate tool used for adversary simulation. This new report focuses on helping threat hunters detect Sliver, but here’s the rub: just because it’s detected doesn’t necessarily mean it’s malicious. Have a headache yet? I do. My colleague Fred McClimans and I covered this jointly issued report in our Cybersecurity Shorts series on the Futurum Tech Webcast this past week. Threat Actors Make It Their Job to Know When Servers Are Vulnerable The newly published warning report said that threat actors are actively scanning the internet for vulnerable servers, including vulnerabilities affecting VMware’s vCenter Server product and Microsoft Exchange servers, which have already been exploited by many. There are five vulnerabilities the government warns that need immediate attention in addition to the newest Microsoft Exchange Server updates just made available in mid-April. These five are: CVE-2018-13379 Fortinet FortiGate VPN  CVE-2019-9670 Synacor Zimbra Collaboration Suite (advisory here) CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN CVE-2019-19781 Citrix Application Delivery Controller and Gateway  CVE-2020-4006 VMware Workspace ONE Access A final note that organizations have been slow to apply the available fixes, leaving organizations massively at risk. Access the full Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian CyberSecurity here: Advisory: Further TTPs Associated with SVR Cyber Actors The government also released Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise that they recommend all security personnel familiarize themselves with.