American and U.K. cyber and law enforcement agencies have expanded their list of IT products Russia’s SVR intelligence agency is using to hack into targets and are urging CISOs to patch these products and other network devices as soon as possible.
The joint advisory issued last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Agency (NCSA) is the latest in a series of descriptions of the tactics used by the threat group known by researchers as ATP29, Cozy Bear, and the Dukes.
The report says the most recent vulnerable application threat actors are trying to leverage is unpatched on-premise installations of Microsoft Exchange.
It has also upped the number of vulnerable network devices being targeted for initial access to 11 from the five listed in an advisory last month. Law enforcement agencies warn this list may grow. They include (with their critical vulnerability number):
• CVE-2018-13379 FortiGate
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-9670 Zimbra
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2019-7609 Kibana
• CVE-2020-4006 VMWare
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-21972 VMWare vSphere
The SVR is Russia’s civilian foreign intelligence service. Typically, according to the agencies’ report, it targets governmental, diplomatics, think-tanks, companies in the energy sector and companies doing COVID-19 research.
The U.S., U.K. and Canada also say the SVR was behind the compromise last year of SolarWinds’ Orion network management platform’s software update mechanism.
The most recent advisory also warns CISOs that the SVR is now using the open-source Sliver framework for command and control (C2). Sliver is an adversary emulation/red team platform used by infosec pros for security testing. Sliver’s implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS.
“Despite the complexity of supply chain attacks, following basic cybersecurity principles will make it harder for even sophisticated actors to compromise target networks,” the advisory noted. “By implementing good network security controls and effectively managing user privileges organizations will help prevent lateral movement between hosts.
“Organizations should ensure sufficient logging (both cloud and on-premises) is enabled and stored for a suitable amount of time, to identify compromised accounts, exfiltrated material and actor infrastructure. Mail retention and content policies should also be implemented to reduce the amount of sensitive information available upon successful compromise. Particularly sensitive information, including information relating to network architecture and network security, should be safeguarded appropriately.”
Separately, SolarWinds now estimates the number of organizations hacked after downloading an infected Orion update called Sunburst is fewer than 100. It estimated 18,000 users downloaded the update. However, many didn’t install the update, or if they did their server wasn’t connected to the internet and therefore couldn’t reach a C2 server.
This most recent report by SolarWinds emphasizes the attackers modified builds of the Orion software platform and not Orion source code.
As for how the attackers got into SolarWinds’ environment, the company said it is still considering three possibilities:
- Zero-day vulnerability in a third-party application or device.
- Brute-force attack, such as a password spray attack.
- Social engineering, such as a targeted phishing attack.