Update on SVR Cyber Operations and Vulnerability Exploitation
Summary:
The FBI, NSA, CNMF, and NCSC-UK have released a joint advisory highlighting the tactics, techniques, and procedures (TTPs) employed by actors associated with the Russian Federation Foreign Intelligence Service (SVR), including APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes. Russian SVR actors are highly skilled and have targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. These actors are known for exploiting software vulnerabilities, employing spear-phishing, abusing the supply chain and trusted relationships, exploiting misconfigurations in cloud environments, developing custom malware, and using living-off-the land techniques to gain initial access, escalate privileges, exfiltrate data, and move laterally across victim environments.
In the last couple of years, targets of these SVR actors have represented entities with Internet-accessible infrastructure vulnerable to exploitation through publicly disclosed vulnerabilities, weak authentication controls, or system misconfigurations. According to the agencies, SVR targeting has not been limited to a particular sector or country. Rather the actors will actively scan internet-facing systems for unpatched vulnerabilities, enabling their attack range to include virtually any organization with vulnerable systems.
Security Officer Comments:
Two specific vulnerabilities were highlighted in the advisory, which have been actively exploited by SVR actors. The first is a Zimbra command injection flaw (CVE-2022-27924) that could enable an unauthenticated attacker to inject arbitrary commands into a targeted Zimbra instance. Notably, hundreds of Zimbra mail servers worldwide have been targeted via this CVE, allowing SVR actors to access user credentials and mailboxes without victim interaction. The other vulnerability (CVE-2023-42793) pertains to an authentication bypass issue impacting JetBrains TeamCity. Since 2023, SVR actors have exploited the JetBrains TeamCity flaw to target entities such as an energy trade association, software development firms, hosting companies, tools manufacturers, and information technology companies.
While CVE-2022-27924 and CVE-2023-42793 have been actively exploited by SVR actors, the agencies note that these actors have the capability and interest to exploit additional CVEs for initial access, remote code execution, and privilege escalation. The advisory includes a list of CVEs that have been publicly disclosed. These CVEs encompass various products/vendors including Cisco, Haxx Libcurl, Android, Supermicro, Qualcomm, Microsoft Exchange, Citrix NetScaler, Apache, SharePoint, Ivanti, Google Chrome, and much more. Given the opportunistic approach of SVR actors, organizations should review these vulnerabilities and apply patches if not done so already.
Suggested Corrections:
The authoring agencies recommend organizations implement the mitigations below to improve yourorganization’s cybersecurity posture on the basis of the threat actor’s activity.
https://www.ic3.gov/Media/News/2024/241010.pdf
The FBI, NSA, CNMF, and NCSC-UK have released a joint advisory highlighting the tactics, techniques, and procedures (TTPs) employed by actors associated with the Russian Federation Foreign Intelligence Service (SVR), including APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes. Russian SVR actors are highly skilled and have targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. These actors are known for exploiting software vulnerabilities, employing spear-phishing, abusing the supply chain and trusted relationships, exploiting misconfigurations in cloud environments, developing custom malware, and using living-off-the land techniques to gain initial access, escalate privileges, exfiltrate data, and move laterally across victim environments.
In the last couple of years, targets of these SVR actors have represented entities with Internet-accessible infrastructure vulnerable to exploitation through publicly disclosed vulnerabilities, weak authentication controls, or system misconfigurations. According to the agencies, SVR targeting has not been limited to a particular sector or country. Rather the actors will actively scan internet-facing systems for unpatched vulnerabilities, enabling their attack range to include virtually any organization with vulnerable systems.
Security Officer Comments:
Two specific vulnerabilities were highlighted in the advisory, which have been actively exploited by SVR actors. The first is a Zimbra command injection flaw (CVE-2022-27924) that could enable an unauthenticated attacker to inject arbitrary commands into a targeted Zimbra instance. Notably, hundreds of Zimbra mail servers worldwide have been targeted via this CVE, allowing SVR actors to access user credentials and mailboxes without victim interaction. The other vulnerability (CVE-2023-42793) pertains to an authentication bypass issue impacting JetBrains TeamCity. Since 2023, SVR actors have exploited the JetBrains TeamCity flaw to target entities such as an energy trade association, software development firms, hosting companies, tools manufacturers, and information technology companies.
While CVE-2022-27924 and CVE-2023-42793 have been actively exploited by SVR actors, the agencies note that these actors have the capability and interest to exploit additional CVEs for initial access, remote code execution, and privilege escalation. The advisory includes a list of CVEs that have been publicly disclosed. These CVEs encompass various products/vendors including Cisco, Haxx Libcurl, Android, Supermicro, Qualcomm, Microsoft Exchange, Citrix NetScaler, Apache, SharePoint, Ivanti, Google Chrome, and much more. Given the opportunistic approach of SVR actors, organizations should review these vulnerabilities and apply patches if not done so already.
Suggested Corrections:
The authoring agencies recommend organizations implement the mitigations below to improve yourorganization’s cybersecurity posture on the basis of the threat actor’s activity.
- Prioritize rapid deployment of patches and software updates as soon as they becomeavailable. Enable automatic updates where possible.
- Reduce attack surface by disabling Internet-accessible services that you do not need, orrestrict access to trusted networks, and removing unused applications and utilities fromworkstations and development environments.
- Perform continuous threat hunting activities.
- Ensure proper configuration of systems – check for open ports and obsolete or unusedprotocols, especially on Internet-facing systems.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure ofinternal networks.
- Require and enforce multi-factor authentication whenever possible.
- Require additional identity challenges for enrollment of new devices when users are permittedto self-enroll multi-factor authentication mechanisms or register devices on the corporatenetwork.
- Notify users across multiple platforms when devices have been successfully registered to helpidentify unexpected registrations. Train and encourage users to notice and report unexpectedregistrations.
- Enable robust logging for authentication services and Internet-facing functions.Regularly audit cloud-based accounts and applications with administrative access to email forunusual activity.
- Limit token access lifetimes and monitor for evidence of token reuse.
- Enforce least-privileged access and disable external management capabilities.
- Baseline authorized devices and apply additional scrutiny to systems accessing networkresources that do not adhere to the baseline.
- Disable remote downloading of information to non-enrolled devices when possible.
https://www.ic3.gov/Media/News/2024/241010.pdf