ipopba - stock.adobe.com

Joint Fed Guidance on Russian APT Cyberattacks, Exploits, Malware

Recent joint federal guidance sheds light on the tactics used by Russian Advanced Persistent Threat (APT) actors, including vulnerability exploits and malware deployment.

Russian Advanced persistent threat (APT) actors are actively targeting a range of US entities to gather intelligence agencies. Recent federal guidance aims to shed light on the tactics used in these cyberattacks, including the exploit of vulnerabilities and malware deployment.

The federal guidance from the FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency was created to supplement previous insights from the NSA on the five critical vulnerabilities under active attack from these APT actors.

The Russian Foreign Intelligence Service (SVR), also known as APT29, the Dukes, CozyBear, and Yttrium, have continued to target the US in recent years, primarily targeting IT companies, government networks, think tanks, and policy analysis organizations.

The group was behind the massive SolarWinds Orion hack, which has had a lingering impact on a number of US sectors. The full impact of the incident has yet to be seen.

“SVR cyber operations have posed a longstanding threat to the United States,” officials explained. “Prior to 2018, several private cybersecurity companies published reports about APT 29 operations to obtain access to victim networks and steal information, highlighting the use of customized tools to maximize stealth inside victim networks and APT 29 actors’ ability to move within victim environments undetected.”

The attackers leverage various exploitation tactics and stealthy intrusion techniques within the victims network -- at varying sophistication levels. In 2018, the FBI detected the group shift from deploying malware onto victims’ networks, to targeting cloud services like email.

These attacks have been focused on gathering information from victims. As seen with the SolarWinds incident, the hackers exploited Microsoft Office 365 environments, after gaining network access obtained through the use of modified SolarWinds.

The incident is believed to be part of an ongoing trend: the exploit of cloud resources likely reduces the likelihood of detection by using compromised accounts or system misconfigurations to hide within normal or unmonitored traffic, unbeknownst to victims.

The federal security leaders are urging all US entities to review the provided insights to better understand the APT attack methods and needed remediation to prevent successful exploits, such as those seen with SolarWinds.

The guidance sheds light on three key entry mechanisms: password-spraying attacks, zero-day vulnerabilities, and WELLMESS malware.

Password Spraying

Federal researchers have observed the attackers leveraging password spraying to find weak passwords tied to administrative accounts. The hackers conduct the attacks in a “low and slow” manner, making attempts with a small number of passwords at infrequent intervals, likely to avoid detection.

Further, the attackers used a large number of IP addresses from within the same country as the victim.

In one attack, the entity “unintentionally exempted the compromised administrator’s account from multi-factor authentication requirements."

“With access to the administrative account, the actors modified permissions of specific email accounts on the network, allowing any authenticated network user to read those accounts,” officials explained.

The attackers have also been observed using misconfigurations that enabled logins with legacy single-factor authentication on devices not designed for MFA, which allowed the compromise non-administrative accounts. 

The access was likely obtained by spoofing the user agent strings, masquerading as older versions of mail clients. Once the attacker logged in as a non-admin user, they used permission changes applied via the compromised admin user to gain access to mailboxes, of interest to the attacker.

To defend against these attacks, entities should make MFA mandatory for all users and prohibit remote access to admin functions and resources from IP addresses and systems not owned by the organization.

Administrators need to perform routine auditing of mailbox settings, account permissions, and mail forwarding, which will allow for the detection of any unauthorized changes.

Password management, including strong password use the and the prohibition of commonly used passwords, must also be enforced, in addition to a regular review of the password management program and well-documented standard operating procedures for resets.

Zero-Day Flaws

The attackers have also been observed targeting and exploiting zero-day vulnerabilities, including the CVE-2019-19781 flaw found in Citrix servers.

In one attack, the actors used the CVE-2019-19781 flaw against a virtual private network (VPN) to gain a foothold onto the network. After exploiting a device to expose user credentials, the attackers identified and authenticated to systems on the network.

The attackers proliferated the attack to gain access to several different systems on the network, which weren’t configured to require MFA. The group then attempted to access web-based resources on the network.

Once the victim discovered the unauthorized access, the entity worked to expel the threat actors but failed to do so, as they did not find the initial point of access.

“The actors used the same VPN appliance vulnerability to regain access,” officials explained. “Eventually, the initial access point was identified, removed from the network, and the actors were evicted.” 

“As in the previous case, the actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity,” they added.

Entities must employ endpoint monitoring solutions configured to find evidence of lateral movement within the network to defend against this stealthy technique. Administrators also need to employ network scanning tools and monitor the network for evidence of encoded PowerShell commands.

Antivirus or endpoint monitoring solutions should also be set to alert when monitoring or reporting is disabled, or if communication with a host agent is lost for more than a reasonable amount of time.

WELLMESS Malware

Last year, Russian-backed hackers leveraged WELLMESS malware, writing in Go programming language, was used to target entities tasked with the development of the COVID-19 vaccine. In these attacks, the actors typically gained access through an unpatch, publicly known flaw.

Upon exploit, the attackers deployed the malware and then targeted the victim’s vaccine research repository and Active Directory servers. The attacks mostly relied on targeting on-prem network resources that “likely indicate new ways the actors are evolving in the virtual environment.”

“SVR cyber operators are capable adversaries,” officials warned. “FBI investigations have [also] revealed infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies. VPS infrastructure is often procured from a network of VPS resellers.” 

“These false identities are usually supported by low reputation infrastructure including temporary email accounts and temporary voice over internet protocol (VoIP) telephone numbers,” they added. “While not exclusively used by SVR cyber actors, a number of SVR cyber personas use email services hosted on cock[.]li or related domains.”

The actors have also been observed leveraging open-source or commercially available tools, including Mimikatz and Cobalt Strike, a commercially available exploitation tool.

Next Steps

Dig Deeper on Cybersecurity strategies