Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
07:20 PM
Connect Directly

US Urges Organizations to Implement MFA, Other Controls to Defend Against Russian Attacks

Actors working for Moscow's Foreign Intelligence Service are actively targeting organizations in government and other sectors, FBI and DHS say.

The FBI, the Department of Homeland Security (DHS), and the Cybersecurity & Infrastructure Security Agency (CISA) are urging US organizations to implement multifactor authentication and other defensive mechanisms to protect against threat activity by Russia's Foreign Intelligence Service (SVR).

In a new joint advisory out today, the three entities warn government agencies, think tanks, information technology companies, and policy analysis organizations in particular to watch out for attacks from APT29, a threat group that they describe as working for the SVR.

Related Content:

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Cybersecurity and the Way to a Balanced Life

The alert does not point to any specific new and recent threats or attacks from APT29 (aka Cozy Bear, Dukes, and Yttrium) targeting organizations in these sectors. But it does note the longstanding threat the group has posed to US organizations and the group's use of customized tools to maximize stealth and to move laterally within victim networks. Since at least 2018, the group has shifted from predominantly targeting on-premises assets to targeting cloud-hosted email and other cloud resources, the three agencies say.

"[SVR] will continue to seek intelligence from US and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks," the alert notes.

This is the second time that US law enforcement has warned of SVR threat activity in the last two weeks. On April 15, shortly after the Biden administration formally attributed the SolarWinds attack to SVR, the FBI, DHS, and CISA released an advisory warning about the Russian intelligence service exploiting five known vulnerabilities in VPNs and other technologies to compromise US companies.

That advisory highlighted how, in addition to the SolarWinds supply chain attack, the SVR was responsible for several other recent campaigns, including several targeted attacks on COVID-19 research facilities.

Organizations should pay attention to advisories such as these that offer information on adversary tradecraft and recommendations for addressing threats that an adversary might present, says Sean Nikkei, senior cyber-threat intelligence analyst at Digital Shadows. "We have to assume that there are ongoing or will be new campaigns due to the nature of intelligence collection for strategic goal," Nikkei says.

"The information can certainly help any organization because it gives them a chance to update and vet their signatures, talk to their vendors, and think about how they might be targeted," he says.

The new advisory highlights three tactics that SVR and threat groups working for it have been observed using in recent attacks: password spraying, zero-day exploits, and the use of a malware tool set called WellMess for enabling encrypted command-and-control sessions on an infected system.

The advisory points to a 2018 compromise, where SVR agents used password spraying to find and exploit a weak password to an administrator account. The attack involved the adversary conducting the password spraying in a "low and slow" manner using a large number of local IP addresses associated with business, residential, and mobile accounts, in order to evade detection. The attackers used their access to the admin account to modify permissions and gain access to email accounts of specific interest to them, according to the joint advisory.

In another incident, actors working for SVR exploited a then zero-day vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) to gain access to an enterprise network and harvest credentials, which they used to access other systems on the network. The actors acquired a foothold on several systems that were not configured for two-factor authentication. Though the breached organization eventually discovered the intrusion and evicted the attackers, they regained access via the same Citrix flaw. That initial access point was discovered as well, and closed down, according to the advisory.

The FBI, DHS, and CISA alert describes the WellMess malware family as being used in targeted attacks on COVID-19 research facilities. "These implants allow a remote operator to establish encrypted command and control (C2) sessions and to securely pass and execute scripts on an infected system," the advisory notes.

Multiple Recommendations
The three entities urge organizations to consider mandating the use of multifactor authentication for all on-premises and remote users and administrators. They also recommend that organizations allow access to admin systems and functions only from known IP addresses, conduct regular audits of account permissions and mailbox settings, and implement strong passwords.

To defend against zero-day threats, the advisory recommends that security teams monitor for evidence of encoded PowerShell commands and use of NMAP and other network scanning tools, and to ensure endpoint security and monitoring systems are enabled.

Defending against supply chain attacks such as the one that affected SolarWinds' customers can be tricky, the advisory concedes. But organizations can mitigate risk by implementing practices such as log file auditing to identify attempts to access privileged certificates; deploying controls for identifying suspicious behavior; implementing behavioral monitoring; and requiring authentication for certain user activities.

Dirk Schrader, global vice president of security research at New Net Technologies, says advisories such as the one released today help organizations get a better picture of the real-life operations of an advanced adversary. However, too many of them can end up being a distraction, he says. "Frequent advisories will lead to many questions from senior management and executive boards about the status of an organization in the light of those," he says. "Cybersecurity teams will be — at least — required to balance these requests with their regular work.”

A lot of the recommendations included in these advisories — such as enabling multifactor authentication and not allowing from remote logins from unknown IP addresses — are also things that organizations should be doing already, says Joseph Neumann, cyber executive advisor at Coalfire.

These advisories also just speak to the tactics, techniques, and procedures, Neumann notes. "These are helpful to a degree that allows administrators and defenders to know where to start their initial looks," he says. "But [they] fall short of giving [organizations] data that they can plug in to security tools to begin immediate automated remediations and mitigations."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file