Russian SVR State Operators Switch Targets Following U.S. Federal Agencies Joint Advisories
The Agencies Warned that SVR Threat Actors Would Carry On With Their Plan to Seek Intelligence from U.S. Entities via Cyber Exploitation.
On April 15, 2021, U.S. Federal Agencies published the “Russian SVR Targets U.S. and Allied Networks” cybersecurity advisory. The advisory provided details on various tools, methods, strategies, and abilities of Russian cybercriminals implicated in the continuing cyber espionage operation against the United States and its partners.
Following the advisory, Russian Foreign Intelligence Service (SVR) hackers have redirected their assaults to target new flaws.
The warning comes after the United States government officially accused the Russian government of the SolarWinds supply-chain attack on April 15.
On the same day, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation(FBI) notified enterprises and service providers about the top five vulnerabilities exploited in SVR attacks against the US interests.
A third advisory warning of continued assaults organized by the Russian SVR against the U.S. and foreign companies was released on April 26.
The US federal agencies indicated that SVR threat actors frequently take advantage of the CVE-2019-19781 flaw to gain network entry, install WELLMESS malware on vulnerable systems, and use password spraying.
A new NCSC(UK)-CISA-FBI-NSA joint security advisory issued last week warned all the network keepers to patch systems as soon as possible to match the rapidity with which Russian SVR threat actors already changed targets after the April advisories.
SVR cyber operators appear to have reacted […] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.
These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses.
The Russian SVR hackers have also started inspecting for Microsoft Exchange servers exposed to ProxyLogon attacks targeting the CVE-2021-26855.
According to US and UK cyber-agencies, some of the numerous flaws exploited by the Russian SVR are:
- CVE-2018-13379 FortiGate
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-9670 Zimbra
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2019-7609 Kibana
- CVE-2020-4006 VMWare
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-21972 VMWare vSphere
The joint advisory states:
The SVR targets organizations that align with Russian foreign intelligence interests, including governmental, think-tank, policy, and energy targets, as well as more time-bound targeting, for example, COVID-19 vaccine targeting in 2020.
Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage.
It’s recommended for governments and organizations to follow alleviation counseling and guidance shared in the advisory and utilize Snort and YARA detection rules to identify and protect against Russian SVR activity that is in progress.
Here are a few main mitigation actions you can take in order to defend against these attacks:
- Controlling and applying security updates as rapidly as possible will ease the lessening of the attack surface accessible to SVR cybercriminals, and constrain them to utilize higher equity tooling to acquire a foothold in the networks;
- By executing superior network protection controls and successfully controlling user privileges, enterprises will help avert lateral activity between hosts. This way, even complicated assaults’ efficacy will be restricted;
- Companies should make sure that adequate logging is authorized and saved for an acceptable amount of time to recognize damaged accounts, withdrawn information, an actor framework;
- Microsoft’s “MailItemsAccessed” should be used to look into the compromised email addresses and discover emails accessed by users. This way, businesses can see which individual parts of mail were or were not accessed by a criminal in a spiteful manner.
A summary of mitigation strategies was published by the Cybersecurity and Infrastructure Security Agency to help strengthen networks against Russian SVR cyber assaults.