Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/26/2021
07:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Urges Organizations to Implement MFA, Other Controls to Defend Against Russian Attacks

Actors working for Moscow's Foreign Intelligence Service are actively targeting organizations in government and other sectors, FBI and DHS say.

The FBI, the Department of Homeland Security (DHS), and the Cybersecurity & Infrastructure Security Agency (CISA) are urging US organizations to implement multifactor authentication and other defensive mechanisms to protect against threat activity by Russia's Foreign Intelligence Service (SVR).

In a new joint advisory out today, the three entities warn government agencies, think tanks, information technology companies, and policy analysis organizations in particular to watch out for attacks from APT29, a threat group that they describe as working for the SVR.

Related Content:

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Cybersecurity and the Way to a Balanced Life

The alert does not point to any specific new and recent threats or attacks from APT29 (aka Cozy Bear, Dukes, and Yttrium) targeting organizations in these sectors. But it does note the longstanding threat the group has posed to US organizations and the group's use of customized tools to maximize stealth and to move laterally within victim networks. Since at least 2018, the group has shifted from predominantly targeting on-premises assets to targeting cloud-hosted email and other cloud resources, the three agencies say.

"[SVR] will continue to seek intelligence from US and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks," the alert notes.

This is the second time that US law enforcement has warned of SVR threat activity in the last two weeks. On April 15, shortly after the Biden administration formally attributed the SolarWinds attack to SVR, the FBI, DHS, and CISA released an advisory warning about the Russian intelligence service exploiting five known vulnerabilities in VPNs and other technologies to compromise US companies.

That advisory highlighted how, in addition to the SolarWinds supply chain attack, the SVR was responsible for several other recent campaigns, including several targeted attacks on COVID-19 research facilities.

Organizations should pay attention to advisories such as these that offer information on adversary tradecraft and recommendations for addressing threats that an adversary might present, says Sean Nikkei, senior cyber-threat intelligence analyst at Digital Shadows. "We have to assume that there are ongoing or will be new campaigns due to the nature of intelligence collection for strategic goal," Nikkei says.

"The information can certainly help any organization because it gives them a chance to update and vet their signatures, talk to their vendors, and think about how they might be targeted," he says.

The new advisory highlights three tactics that SVR and threat groups working for it have been observed using in recent attacks: password spraying, zero-day exploits, and the use of a malware tool set called WellMess for enabling encrypted command-and-control sessions on an infected system.

The advisory points to a 2018 compromise, where SVR agents used password spraying to find and exploit a weak password to an administrator account. The attack involved the adversary conducting the password spraying in a "low and slow" manner using a large number of local IP addresses associated with business, residential, and mobile accounts, in order to evade detection. The attackers used their access to the admin account to modify permissions and gain access to email accounts of specific interest to them, according to the joint advisory.

In another incident, actors working for SVR exploited a then zero-day vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) to gain access to an enterprise network and harvest credentials, which they used to access other systems on the network. The actors acquired a foothold on several systems that were not configured for two-factor authentication. Though the breached organization eventually discovered the intrusion and evicted the attackers, they regained access via the same Citrix flaw. That initial access point was discovered as well, and closed down, according to the advisory.

The FBI, DHS, and CISA alert describes the WellMess malware family as being used in targeted attacks on COVID-19 research facilities. "These implants allow a remote operator to establish encrypted command and control (C2) sessions and to securely pass and execute scripts on an infected system," the advisory notes.

Multiple Recommendations
The three entities urge organizations to consider mandating the use of multifactor authentication for all on-premises and remote users and administrators. They also recommend that organizations allow access to admin systems and functions only from known IP addresses, conduct regular audits of account permissions and mailbox settings, and implement strong passwords.

To defend against zero-day threats, the advisory recommends that security teams monitor for evidence of encoded PowerShell commands and use of NMAP and other network scanning tools, and to ensure endpoint security and monitoring systems are enabled.

Defending against supply chain attacks such as the one that affected SolarWinds' customers can be tricky, the advisory concedes. But organizations can mitigate risk by implementing practices such as log file auditing to identify attempts to access privileged certificates; deploying controls for identifying suspicious behavior; implementing behavioral monitoring; and requiring authentication for certain user activities.

Dirk Schrader, global vice president of security research at New Net Technologies, says advisories such as the one released today help organizations get a better picture of the real-life operations of an advanced adversary. However, too many of them can end up being a distraction, he says. "Frequent advisories will lead to many questions from senior management and executive boards about the status of an organization in the light of those," he says. "Cybersecurity teams will be — at least — required to balance these requests with their regular work.”

A lot of the recommendations included in these advisories — such as enabling multifactor authentication and not allowing from remote logins from unknown IP addresses — are also things that organizations should be doing already, says Joseph Neumann, cyber executive advisor at Coalfire.

These advisories also just speak to the tactics, techniques, and procedures, Neumann notes. "These are helpful to a degree that allows administrators and defenders to know where to start their initial looks," he says. "But [they] fall short of giving [organizations] data that they can plug in to security tools to begin immediate automated remediations and mitigations."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24613
PUBLISHED: 2021-09-20
The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
CVE-2021-24618
PUBLISHED: 2021-09-20
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated us...
CVE-2021-24635
PUBLISHED: 2021-09-20
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, ...
CVE-2021-24636
PUBLISHED: 2021-09-20
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link
CVE-2021-24637
PUBLISHED: 2021-09-20
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gu...