The US and UK governments have released new information on the current tactics of Russian cyber-spies, including 11 vulnerabilities dating back to 2018 that are being used for initial access.
The new report, Further TTPs associated with SVR cyber actors, was released by the UK’s National Cyber Security Agency (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency and FBI.
It updates readers on the activities of the Russian Foreign Intelligence Service (SVR) — also known as APT29, Cozy Bear, and The Dukes — blamed for the recent SolarWinds attacks and many other espionage campaigns.
In a classic cat-and-mouse game, the SVR appears to have recently changed its tactics in response to a previous report issued by the US and UK, in an attempt to stay hidden.
This includes exploitation of widely reported Microsoft Exchange Server bugs, they claimed.
The report also listed 11 flaws in products from Fortinet, Cisco, Oracle, Zimbra, Pulse Secure, Citrix, Elasticsearch, VMware and F5 which are being exploited by the SVR to gain access to victim networks.
“This list should not be treated as exhaustive,” the report warned.
“The group will look to rapidly exploit recently released public vulnerabilities which are likely to enable initial access to their targets.”
The government report also flagged the SVR’s use of legitimate tool Cobalt Strike, as well as a custom backdoor (GoldMax), downloader (Sibot), HTTP tracer tool (GoldFinder), and open source Red Team command and control framework (Sliver), in post-compromise activity.
Organizations should be particularly careful to protect their administrator mailboxes as these are a common target for SVR attackers, who use access to better understand the victim’s network and to obtain further privileges and credentials for persistence and lateral movement.
Gurucul CEO, Saryu Nayyar, argued that as long as unpatched systems remain openly accessible, attacks will continue.
“The payloads may change depending on what the threat actor is after, but attackers will continue to leverage vulnerabilities in web servers, routers and virtualization software until there aren't any vulnerable hosts to exploit,” she added.
“This series of attacks is a reminder of how important it is to patch security vulnerabilities, and to make sure the network is protected with an up-to-date security stack.”