The News: A joint advisory was published on Friday, May 7, 2021 by the Cybersecurity & Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre, the FBI, and the NSA focused on Russian Foreign Intelligence Service (SVR) and their tactics, techniques and procedures used to target victims. These reports focus on threats posted by APT29, how its methods have evolved, and provides best practices to defend against the threat actor. Read the Joint Advisory here.
The US/UK Governments Issue Cybersecurity Advisory on Russian Threat Actor Activity
Analyst Take: This past Friday was a big day for cybersecurity advisories related to Russian Foreign Service (SVR) threat actors. The threat group APT29 has been attributed to Russia’s SVR and have operated since about 2008, largely targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 is also known by the names Dark Halo, StellarParticle, NOBELLIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, and Cozy Duke.
In the recently issued joint advisory, the US and UK governments outlined tactics and techniques that the Russians are using in their hacking efforts and outlined how they are targeting their victims. In an earlier alert issued the week prior, SVR operations were outlined, along with trends and some recommended best practices for network defenders.
These reports also provide more details on the SolarWinds attack spearheaded by those same Russian SVR threat actors. The SolarWinds attack saw malicious updates from compromised SolarWinds systems breaching hundreds of organizations – and we don’t yet know the full scope of the damage. Last year we also saw that same SVR group targeting vaccine R&D operations, which involved malware tracked as WellMesshttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c and WellMail.
What caught my eye here and what is highlighted in the report is that threat actors embrace best practices for digital transformation. They are agile and adaptable. Once they are detected, they pivot. For instance, once the WellMess/WellMail breach was detected, APT29 pivoted.
And this pivot was a really pretty brilliant. The threat actors began using Sliver, which is a security testing tool developed by Bishop Fox, an offensive security assessment firm.
Sliver is a legitimate tool used for adversary simulation. This new report focuses on helping threat hunters detect Sliver, but here’s the rub: just because it’s detected doesn’t necessarily mean it’s malicious. Have a headache yet? I do.
My colleague Fred McClimans and I covered this jointly issued report in our Cybersecurity Shorts series on the Futurum Tech Webcast this past week. If you’d like to watch or listen to this brief overview, you’ll find it here:
Threat Actors Make It Their Job to Know When Servers Are Vulnerable
The newly published warning report said that threat actors are actively scanning the internet for vulnerable servers, including vulnerabilities affecting VMware’s vCenter Server product and Microsoft Exchange servers, which have already been exploited by many.
There are five vulnerabilities the government warns that need immediate attention in addition to the newest Microsoft Exchange Server updates just made available in mid-April. These five are:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite (advisory here)
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
Access the full Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian CyberSecurity here: Advisory: Further TTPs Associated with SVR Cyber Actors
The government also released Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise that they recommend all security personnel familiarize themselves with.
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Shelly Kramer: Absolutely. Absolutely. All right. We’re going to move on to the final topic that I wanted to hit on today and that is about, again, government. There’s a theme here. I wanted to talk about the fact that the United States and the UK governments issued a cybersecurity advisory today on Russian threat actor activity. This advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA). We talk about that a lot, but sometimes I hate to throw acronyms out there and just assume everybody knows what an acronym stands for.
CISA is the US Cybersecurity and Infrastructure Security Agency, which is a mouthful. The UK’s National Cyber Security Centre, the FBI, and the NSA. This report, this advisory was focused on Russian Foreign Intelligence Service, they called it SVR, and their tactics and their techniques and their procedures that they used to target victims and really how their methods have evolved. Again, what the cybersecurity landscape is, is a constantly evolving landscape. These organizations came together to publish this report and to provide some best practices to defend against it.
In the show notes, I’ll include a link to the full advisory. There was another alert published by CISA on April 26th. In that report, they outlined the Russian operations and trends and really how to think about working through these if you’re a network defender. We mentioned SolarWinds earlier. This report also provided some additional details on the SolarWinds attack, which was spearheaded by these same Russian SVR threat actors. What was interesting about the SolarWinds attack, what happened there is we saw malicious updates from compromised SolarWinds systems.
And that breached hundreds of organizations. We don’t yet know the full scope of the damage, and we won’t for a long time. Last year, we saw that same group of threat actors targeting vaccine R&D operations around the world. This involved malware that was tracked as something called WellMess and WellMail. What comment I hear when I was looking at this information is that one of the things they highlighted in this report is that, as we’ve talked, threat actors are agile. They’re adaptable. They’re extremely adaptable.
For instance, with the WellMess and the WellMail instances, as soon as they were detected, they pivoted and they started doing something different. What happened here, which I thought was really fascinating and frightening, is that they started using Sliver, which is a security testing tool that was developed Bishop Fox which is an offensive security assessment firm. An offensive security assessment firm is just like it sounds, right? Their whole job is to be out there on the offense providing tools and probably services that help organizations be on the offense rather than be defensive about security.
Sliver is a legitimate tool that used for adversary simulation. You want to protect your network, you use Sliver, right? What’s scary about that is that now part of this new report that’s out is on helping organizations detect Sliver, see if it’s in use, and then try to figure out if it’s a legitimate use or a malicious use. To me, wrap your head around, this is a good tool by a good company that’s doing good things. These smart SVR threat actors pivoted to use this tool to help them do what it is they want to do. To me, that’s really interesting.
But what I want to end here with in terms of my own comments is that it’s really important to understand that these threat actors are constantly… They are incredibly smart. I’ve used the word agile. They are looking for vulnerabilities, and they’re using technology to help them spot… They’re scanning the internet. They’re using technology to help them spot vulnerabilities.
Some of the biggest ones recently and that are still very active and that the government warns against, warns organizations who haven’t perhaps yet patched these, these vulnerabilities include, of course, the Microsoft Exchange Servers. Many of them remain unpatched. VMware’s vCenter Server product is on the list of the top five that are focused on. Fortinet, FortiGate VPN. The Pulse Secure Connect VPN, which we talked about last week, is on the list. Citrix Application Delivery, Controller, and Gateway. And one more, Synacor Zimbra Collaboration Suite.
They’re five things plus Microsoft Exchange Servers that the government in this advisory is warning do not let your guard down if you use any of these products and you haven’t yet updated and patched. It’s a lot.