Russian State Hackers Switch Targets After US Joint Advisories

Russian Foreign Intelligence Service (SVR) operators have switched their attacks to target new vulnerabilities in reaction to US govt advisories published last month with info on SVR tactics, tools, techniques, and capabilities used in ongoing attacks.

The warning comes after US and UK governments formally attributed the SolarWinds supply-chain attack and COVID-19 vaccine developer targeting to Russian SVR (aka APT29, Cozy Bear, and The Dukes) operators’ cyber-espionage efforts on April 15.

On the same day, the NSA, CISA, and the FBI informed organizations and service providers about the top five vulnerabilities exploited in SVR attacks against US interests.

In a third advisory issued on April 26, the FBI, DHS, and CIA warned of continued attacks coordinated by the Russian SVR against the US and foreign organizations.

The US federal agencies pointed out that SVR operators commonly use password spraying, exploit the CVE-2019-19781 vulnerability to obtain network access, and deploy WELLMESS malware on compromised systems.

Russian SVR’s response to US and UK advisories

Today, in a new NCSC(UK)-CISA-FBI-NSA joint security advisory [PDF], network defenders are warned to patch systems as promptly as possible to match the speed with which Russian SVR state hackers already changed targets following the April advisories.

“SVR cyber operators appear to have reacted […] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,” according to today’s US-UK joint advisory.

“These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses.

The Russian cyberspies have also begun scanning for Microsoft Exchange servers exposed to ProxyLogon attacks targeting the CVE-2021-26855.

In all, as US and UK cyber-agencies recently observed, the Russian SVR is exploiting multiple vulnerabilities including, but not limited to:

• CVE-2018-13379 FortiGate
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-9670 Zimbra
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2019-7609 Kibana
• CVE-2020-4006 VMWare
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-21972 VMWare vSphere

Mitigation advice and guidance

“The SVR targets organizations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time-bound targeting, for example, COVID-19 vaccine targeting in 2020,” the joint advisory reads.

“Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage.”

At-risk government and privately-held organizations are urged to follow mitigation advice and guidance shared in the joint advisory and use Snort and YARA detection rules in the appendix to detect and defend against ongoing Russian SVR activity.

Below you can find a quick rundown of important mitigation measures for defending against these ongoing attacks:

• Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors, and force them to use higher equity tooling to gain a foothold in the networks.
• By implementing good network security controls and effectively managing user privileges, organizations will help prevent lateral movement between hosts. This will help limit the effectiveness of even complex attacks.
• Detecting supply chain attacks, such as the Mimecast compromise, will always be difficult. An organization may detect this sort of activity through heuristic detection methodologies such as the volume of emails being accessed or by identifying anomalous IP traffic.
• Organizations should ensure sufficient logging (both cloud and on-premises) is enabled and stored for a suitable amount of time to identify compromised accounts, exfiltrated material, and actor infrastructure.
• Use Microsoft’s mailbox auditing action called ‘MailItemsAccessed’ to investigate the compromise of email accounts and identify emails accessed by users. This gives organizations forensic defensibility to help assert which individual pieces of mail were or were not maliciously accessed by an attacker.

CISA also published today a summary of mitigation strategies [PDF] shared in the joint advisories issued during the last month to help secure networks against Russian SVR attacks.