On May 7th a joint advisory put together by the NCSC, CISA, FBI, and the NSA warned that the Russian SVR has once again switched their tactics in an effort to avoid detection. This comes on the heels of a separate advisory released on April 26th, warning of the attacks that were being committed by the Russian SVR against different foreign and US organizations. The group has begun using the open-source tool Sliver and have also started to search for Microsoft Exchange servers that are vulnerable to CVE-2021-26855. Included in a list below are the most common bugs that have been taken advantage of by the Russian SVR—these are not all of the tactics they used, just the most commonly observed vulnerabilities they exploited if systems were not patched:
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-9670 Zimbra
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2019-7609 Kibana
- CVE-2020-4006 VMWare
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-21972 VMWare vSphere
Since it is likely the group will continue to update their tactics, techniques, and procedures (TTPs) it is important to make sure all patches are applied as soon as possible. The joint advisory also included a mitigation measures that will give organizations the best chance at defending against these attacks, those include:
• Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors and force them to use higher equity tooling to gain a foothold in the networks.
• By implementing good network security controls and effectively managing user privileges, organizations will help prevent lateral movement between hosts. This will help limit the effectiveness of even complex attacks.
• Detecting supply chain attacks, such as the Mimecast compromise, will always be difficult. An organization may detect this sort of activity through heuristic detection methodologies such as the volume of emails being accessed or by identifying anomalous IP traffic.
• Organizations should ensure sufficient logging (both cloud and on-premises) is enabled and stored for a suitable amount of time to identify compromised accounts, exfiltrated material, and actor infrastructure.
• Use Microsoft’s mailbox auditing action called ‘MailItemsAccessed’ to investigate the compromise of email accounts and identify emails accessed by users. This gives organizations forensic defensibility to help assert which individual pieces of mail were or were not maliciously accessed by an attacker.
Link to the joint advisory: https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf