Today, UK NCSC and CISA-FBI-NSA cybersecurity agencies published a joint security advisory that warns organizations to patch systems immediately to mitigate the risk of attacks conducted by Russia-linked SVR group (aka APT29, Cozy Bear, and The Dukes)). The joint report states that the cyberspies have already changed targets following the April advisories.
The NCSC, NSA, CISA, and CSE have previously issued a joint report regarding the group’s campaigns aimed at organizations involved in COVID-19 vaccine development throughout 2020 using WellMess and WellMail malware. The news joint repost, speculate the SVR has reacted to the report by changing their TTPs. These changes reported by the government experts include the deployment of the open-source tool Sliver to gain persistence on the compromised infrastructure and the use of multiple vulnerabilities, including Microsoft Exchange ProxyLogon vulnerability CVE-2021-26855.
“SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.” states the report.SVR cyber operators appear to have
reacted to this report by changing their
TTPs in an attempt to avoid further
detection and remediation efforts by
network defenders.
Below the full list vulnerabilities exploited by Russian SVR in multiple attacks:
• CVE-2018-13379 FortiGate
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-9670 Zimbra
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2019-7609 Kibana
• CVE-2020-4006 VMWare
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-21972 VMWare vSphere
Clearly, the above list should not be treated as exhaustive. According to the advisory, APT29 targets organizations that align with Russian foreign intelligence interests. The list of targets includes governmental, think-tank, policy and energy targets, and organizations involved in the development of the COVID19 vaccine.
The report includes mitigation advice, along with Snort and YARA rules that could be used by organizations to detect and defend against attacks conducted by the Russian SVR cyberspies.
US CISA also published details about Russian SVR activities related to SolarWinds compromise which include mitigation strategies.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, APT29)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
This website uses cookies.