February 5, 2021
The Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a cybersecurity advisory warning about the continuous threat of APT 29, aka “the Dukes,” or “CozyBear,” who are believed to be agents of the Russian Foreign Intelligence Service (SVR). In the advisory, the American agencies detail how the hackers move, what techniques they use, and what vulnerabilities they appear to target the most.
First, there’s the “password spraying” approach which the actors deploy to steal weak passwords associated with an administrative account. The hackers are going “low and slow,” testing a small number of passwords at infrequent intervals to not raise any security alarms. Also, the spraying occurs via a large number of IP addresses that are all located in the same country as the target entity.
The advisory recommends the mandatory use of an approved MFA (multi-factor authentication) solution, the prohibition of remote access to administrative functions, and the conduction of regular audits of all mailbox settings and account permissions. Additionally, employees should receive regular training in all matters of security.
The zero-day vulnerability that the CISA advisory gives as an example is CVE-2019-19781, an RCE flaw in the Citrix Application Delivery Controller and Gateway. This is the same flaw that the NSA ranked as the third most exploited by Chinese hackers in a report that came out last year. It is now merely used as an example of how actors can run code remotely without having to authenticate, establish a strong foothold, and access web-based resources freely.
The obvious advice here is to apply the available patches, but the advisory also recommends measures relevant to identifying lateral movement activities. This includes monitoring for NMAP commands, enabling AV/endpoint monitoring tools, and requiring MFA to access internal systems.
Then we have the “WELLMESS” malware, which mostly focused on targeting COVID-19 vaccine development, and which was planted in unpatched networks that carried some form of a known vulnerability. This malware was used against supercomputers that contributed to vaccine development research, large telecom service providers, government entities, and more.
And finally, there’s the mention of SolarWinds and supply chain attacks in general. The Biden administration has no doubt about the involvement of SVR actors in the particular campaign, one of the worst to have unfolded in the industry. The recommendations here include log file auditing, endpoint protection system deployment, and the use of public resources to identify credential abuse within cloud environments.
All in all, there’s nothing new or anything we don’t already know in this advisory. However, there are still some things outlined that could help organizations get out of their panic and look and return to basics when it comes to cybersecurity.
As Joseph Neumann, an executive advisor at Coalfire, tells us:
Organizations that are currently under attack are on the lower end of the maturity spectrum in their security posture. Basic things like enabling two-factor authentication on admin credentials, not allowing for remote logins from unknown IP addresses, or having a management VPN/backplane are common for any company with these tools.