Joint CISA, FBI, and DHS Cybersecurity Advisory Warns About ‘APT 29’ Methods

  • American federal agencies released a cybersecurity advisory to warn about Russian hacker methods.
  • This is a somewhat unusual approach, not offering IOCs or warnings about new zero-days, but it can still help organizations.
  • The takeaway can be summarized in patching, auditing, monitoring, and using MFA wherever possible.

The Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a cybersecurity advisory warning about the continuous threat of APT 29, aka “the Dukes,” or “CozyBear,” who are believed to be agents of the Russian Foreign Intelligence Service (SVR). In the advisory, the American agencies detail how the hackers move, what techniques they use, and what vulnerabilities they appear to target the most.

First, there’s the “password spraying” approach which the actors deploy to steal weak passwords associated with an administrative account. The hackers are going “low and slow,” testing a small number of passwords at infrequent intervals to not raise any security alarms. Also, the spraying occurs via a large number of IP addresses that are all located in the same country as the target entity.

The advisory recommends the mandatory use of an approved MFA (multi-factor authentication) solution, the prohibition of remote access to administrative functions, and the conduction of regular audits of all mailbox settings and account permissions. Additionally, employees should receive regular training in all matters of security.

The zero-day vulnerability that the CISA advisory gives as an example is CVE-2019-19781, an RCE flaw in the Citrix Application Delivery Controller and Gateway. This is the same flaw that the NSA ranked as the third most exploited by Chinese hackers in a report that came out last year. It is now merely used as an example of how actors can run code remotely without having to authenticate, establish a strong foothold, and access web-based resources freely.

The obvious advice here is to apply the available patches, but the advisory also recommends measures relevant to identifying lateral movement activities. This includes monitoring for NMAP commands, enabling AV/endpoint monitoring tools, and requiring MFA to access internal systems.

Then we have the “WELLMESS” malware, which mostly focused on targeting COVID-19 vaccine development, and which was planted in unpatched networks that carried some form of a known vulnerability. This malware was used against supercomputers that contributed to vaccine development research, large telecom service providers, government entities, and more.

And finally, there’s the mention of SolarWinds and supply chain attacks in general. The Biden administration has no doubt about the involvement of SVR actors in the particular campaign, one of the worst to have unfolded in the industry. The recommendations here include log file auditing, endpoint protection system deployment, and the use of public resources to identify credential abuse within cloud environments.

All in all, there’s nothing new or anything we don’t already know in this advisory. However, there are still some things outlined that could help organizations get out of their panic and look and return to basics when it comes to cybersecurity.

As Joseph Neumann, an executive advisor at Coalfire, tells us:

Organizations that are currently under attack are on the lower end of the maturity spectrum in their security posture. Basic things like enabling two-factor authentication on admin credentials, not allowing for remote logins from unknown IP addresses, or having a management VPN/backplane are common for any company with these tools.

REVIEW OVERVIEW

Latest

NBCUniversal’s Streaming Platform ‘Peacock’ Is Landing on Amazon’s Fire TV Today

Users of Fire TV devices will finally be able to enjoy ‘Peacock’ content on their Amazon hardware.This has been requested warmly by...

Dell Fixes Multiple BIOS Vulnerabilities Affecting Millions of Its Computers

Tens of millions of Dell computers are vulnerable to arbitrary remote code execution flaws.The problem lies in BIOS components that come as...

Former Executives of French Spyware Firms ‘Nexa’ and ‘Amesys’ Indicted for Aiding Torture

Four former executives of two French spyware firms have been indicted in Paris for aiding torture in Africa.These people were determined to...