From time to time, U.S. security agencies issue advisories to help secure networks against highly dangerous cyber threats. Recently, the cyber operators from Russia's Foreign Intelligence Service (SVR), known as APT29 (Cozy Bear), have reacted to these advisories by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.
The latest advisory
The latest U.S.-U.K joint security advisory has warned users to patch systems as early as possible. It suggests that the SVR attackers are updating their attack methods and targets quickly since the time the previous advisories were published.
- The first change includes the deployment of an open-source tool named Sliver, in an attempt to maintain the group’s access to a number of the existing victims of WellMess and WellMail malware.
- The group has now been observed exploiting CVE-2021-26855. Other recently exploited popular vulnerabilities include Microsoft Exchange (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), VMWare vSphere (CVE-2021-21972), Oracle WebLogic (CVE-2020-14882), and F5 Big-IP (CVE-2020-5902).
- SVR operators have continued targeting government agencies, think tanks, energy infrastructure, and other entities. These targets are thought to be strategically important with respect to Russian foreign intelligence.
The Russia-based threat actor has been using several other attack methods to target its victims.
- NSA warned that the Russian SVR activities were targeting COVID-19 research facilities via WellMess malware and networks through five VMware vulnerabilities (CVE-2020-4006, CVE-2019-19781, CVE-2019-11510, CVE-2019-9670, and CVE-2018-13379).
- In addition, Russian SVR has been exploiting vulnerabilities in Zimbra, FortiGate, Cisco Routers, Pulse Secure, and Kibana.
- Password spraying attacks are also commonly performed by this threat actor.
SVR operators have been rapidly exploiting recently released public vulnerabilities that are likely to enable initial access to their targets. The U.S. and U.K authorities have detailed a number of detection and mitigation strategies that will help organizations proactively harden their environments against their attack techniques. Organizations and network defenders are advised to ensure instant security patches, promptly followed by CVE announcements for products they manage or use.