The FBI, the Department of Homeland Security (DHS), and the Cybersecurity & Infrastructure Security Agency (CISA) are urging US organizations to implement multifactor authentication and other defensive mechanisms to protect against threat activity by Russia's Foreign Intelligence Service (SVR).
In a new joint advisory out today, the three entities warn government agencies, think tanks, information technology companies, and policy analysis organizations in particular to watch out for attacks from APT29, a threat group that they describe as working for the SVR.
The alert does not point to any specific new and recent threats or attacks from APT29 (aka Cozy Bear, Dukes, and Yttrium) targeting organizations in these sectors. But it does note the longstanding threat the group has posed to US organizations and the group's use of customized tools to maximize stealth and to move laterally within victim networks. Since at least 2018, the group has shifted from predominantly targeting on-premises assets to targeting cloud-hosted email and other cloud resources, the three agencies say.
"[SVR] will continue to seek intelligence from US and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks," the alert notes.
This is the second time that US law enforcement has warned of SVR threat activity in the last two weeks. On April 15, shortly after the Biden administration formally attributed the SolarWinds attack to SVR, the FBI, DHS, and CISA released an advisory warning about the Russian intelligence service exploiting five known vulnerabilities in VPNs and other technologies to compromise US companies.
That advisory highlighted how, in addition to the SolarWinds supply chain attack, the SVR was responsible for several other recent campaigns, including several targeted attacks on COVID-19 research facilities.
Organizations should pay attention to advisories such as these that offer information on adversary tradecraft and recommendations for addressing threats that an adversary might present, says Sean Nikkei, senior cyber-threat intelligence analyst at Digital Shadows. "We have to assume that there are ongoing or will be new campaigns due to the nature of intelligence collection for strategic goal," Nikkei says.
"The information can certainly help any organization because it gives them a chance to update and vet their signatures, talk to their vendors, and think about how they might be targeted," he says.
The new advisory highlights three tactics that SVR and threat groups working for it have been observed using in recent attacks: password spraying, zero-day exploits, and the use of a malware tool set called WellMess for enabling encrypted command-and-control sessions on an infected system.
The advisory points to a 2018 compromise, where SVR agents used password spraying to find and exploit a weak password to an administrator account. The attack involved the adversary conducting the password spraying in a "low and slow" manner using a large number of local IP addresses associated with business, residential, and mobile accounts, in order to evade detection. The attackers used their access to the admin account to modify permissions and gain access to email accounts of specific interest to them, according to the joint advisory.
In another incident, actors working for SVR exploited a then zero-day vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) to gain access to an enterprise network and harvest credentials, which they used to access other systems on the network. The actors acquired a foothold on several systems that were not configured for two-factor authentication. Though the breached organization eventually discovered the intrusion and evicted the attackers, they regained access via the same Citrix flaw. That initial access point was discovered as well, and closed down, according to the advisory.
The FBI, DHS, and CISA alert describes the WellMess malware family as being used in targeted attacks on COVID-19 research facilities. "These implants allow a remote operator to establish encrypted command and control (C2) sessions and to securely pass and execute scripts on an infected system," the advisory notes.
The three entities urge organizations to consider mandating the use of multifactor authentication for all on-premises and remote users and administrators. They also recommend that organizations allow access to admin systems and functions only from known IP addresses, conduct regular audits of account permissions and mailbox settings, and implement strong passwords.
To defend against zero-day threats, the advisory recommends that security teams monitor for evidence of encoded PowerShell commands and use of NMAP and other network scanning tools, and to ensure endpoint security and monitoring systems are enabled.
Defending against supply chain attacks such as the one that affected SolarWinds' customers can be tricky, the advisory concedes. But organizations can mitigate risk by implementing practices such as log file auditing to identify attempts to access privileged certificates; deploying controls for identifying suspicious behavior; implementing behavioral monitoring; and requiring authentication for certain user activities.
Dirk Schrader, global vice president of security research at New Net Technologies, says advisories such as the one released today help organizations get a better picture of the real-life operations of an advanced adversary. However, too many of them can end up being a distraction, he says. "Frequent advisories will lead to many questions from senior management and executive boards about the status of an organization in the light of those," he says. "Cybersecurity teams will be — at least — required to balance these requests with their regular work.”
A lot of the recommendations included in these advisories — such as enabling multifactor authentication and not allowing from remote logins from unknown IP addresses — are also things that organizations should be doing already, says Joseph Neumann, cyber executive advisor at Coalfire.
These advisories also just speak to the tactics, techniques, and procedures, Neumann notes. "These are helpful to a degree that allows administrators and defenders to know where to start their initial looks," he says. "But [they] fall short of giving [organizations] data that they can plug in to security tools to begin immediate automated remediations and mitigations."