Four cybersecurity bodies from the US and UK warn that attackers operated by Russian Intelligence have changed their attack techniques and prompt once again to apply the available updates.
Russian cyber attackers are now exploiting the recent zero-day vulnerabilities in the Microsoft Exchange and using a new open-source tool to target governments, organizations, and energy providers around the world.
In a joint advisory by, the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), FBI, the National Security Agency (NSA), and the UK National Cyber Security Centre warn organizations about updated Tactics, Techniques and Procedures (TTPs) of the SVR, Russia’s foreign intelligence service group known as APT29, Cozy Bear, and The Dukes.
“The SVR is a technologically sophisticated and highly capable cyber actor. It has developed capabilities to target organisations globally, including in the UK, US, Europe, NATO member states and Russia’s neighbours,” security experts warn in the alert.
The advisory says the recent update to the SVR’s techniques and procedures is a testimony to the renewed efforts to infiltrate networks and avoid detection that comes after organizations adjusted their defenses following the previous alerts about Russian cyberattacks.
Te alert warms that attackers are now using an open-source tool called Sliver for maintaining access to compromised networks and to exploit various vulnerabilities, including those in Microsoft Exchange. Sliver is a legitimate tool used by penetration testers for testing network security. Russian attackers use it to consolidate access to networks compromised with WellMess and WellMail, custom malware associated with SVR attacks.
Here’s a partial list of vulnerabilities exploited by attackers:
- CVE-2018-13379 FortiGate
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-9670 Zimbra
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2019-7609 Kibana
- CVE-2020-4006 VMWare
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-21972 VMWare vSphere
All the flaws have security patches available. The alert suggests organizations apply security patches promptly so no cybercriminals or nation-state hackers can exploit them for entering or maintaining persistence on the network.
The US and UK cybersecurity authorities say “following basic cybersecurity principles will make it harder for even sophisticated actors to compromise target networks”.
The NCSC also suggests using multi-factor authentication to protect networks from attacks particularly when passwords have been compromised.
