Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine

$
0
0

Government agencies publish warnings and guidance for organizations to defend themselves against advanced persistent threat groups.

As governments around the world call for heightened cyber vigilance, the reality of our digital world comes into stark relief: there are no boundaries when it comes to the potential damage that can be inflicted as a result of nation-state conflicts. The tactical information shared in this blog is designed to help you prepare your digital response to these rapidly unfolding events.

Update February 25: The Identifying affected systems section has been updated to announce the availability of scan templates for the vulnerabilities discussed in this blog.

Background

Jen Easterly, director of the Cyber Security and Infrastructure Security Agency (CISA), recently tweeted that, despite no specific credible threats against organizations in the United States by Russian state-sponsored activity, these advanced persistent threat (APT) groups have historically targeted organizations through a variety of means, including exploiting vulnerabilities in perimeter devices and utilizing Active Directory (AD) for lateral movement. CISA has called for every organization to “adopt a heighted posture of vigilance.”

CISA announced Shields Up, an initiative to empower organizations and provide guidance on how to limit the exposure to common attack paths leveraged by these APT groups.

Analysis

In recent months, CISA has also issued joint advisories regarding specific vulnerabilities targeted by these APT groups and the steps organizations can take to mitigate their risks of exploitation. Both the U.K. National Cyber Security Centre and Australia Cyber Security Centre have released advisories on this subject as well.

In January, CISA, the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) issued a joint cybersecurity alert regarding “Russian Cyber Threats to U.S. Critical Infrastructure.” This alert focuses on observed behavior from Russian state-sponsored threat groups targeting critical infrastructure organizations in several countries. The alert highlights the following sectors as key targets for the APT groups: defense industrial base, healthcare and public health, energy, telecommunications and government facilities.

According to the advisory, the following vulnerabilities have been used in these attacks to gain initial access:

CVEDescriptionCVSSv3VPR*
CVE-2018-13379Fortinet FortiGate SSL VPN Path Traversal Vulnerability9.89.9
CVE-2019-1653Cisco Small Business Routers Information Disclosure9.87.2
CVE-2019-2725Oracle Weblogic Server Deserialization Vulnerability9.89.2
CVE-2019-7609Kibana Arbitrary Code Execution10.09.2
CVE-2019-9670Zimbra Software XML External Entity Injection Vulnerability9.89.2
CVE-2019-10149Exim Simple Mail Transfer Protocol Remote Code Execution9.89.7
CVE-2019-11510Pulse Connect Secure Arbitrary File Read10.010.0
CVE-2019-19781Citrix ADC And Gateway Directory Traversal Vulnerability9.89.8
CVE-2020-0688Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability8.89.8
CVE-2020-4006VMware Workspace One Command Injection9.110.0
CVE-2020-5902F5 BIG-IP Remote Code Execution9.89.7
CVE-2020-14882Oracle WebLogic Remote Code Execution9.89.8
CVE-2021-26855Microsoft Exchange Server Remote Code Execution9.89.9
CVE-2021-26857Microsoft Exchange Server Remote Code Execution7.89.8
CVE-2021-26858Microsoft Exchange Server Remote Code Execution7.89.8
CVE-2021-27065Microsoft Exchange Server Remote Code Execution7.89.9

*Please note: Tenable’sVulnerability Priority Rating(VPR) scores are calculated nightly. This blog post was published on February 24 and reflects VPR at that time.

On February 16, CISA published a joint cybersecurity advisory along with the FBI, NSA regarding the “regular targeting” of United States cleared defense contractors (CDCs). According to the advisory, the attacks originate from state-sponsored threat actors in Russia. The targets of the attacks include both large and small CDCs, as well as subcontractors. These CDCs are being targeted because of existing contracts they hold with the United States Department of Defense (DoD) and Intelligence Community.

The targeting activity spans from January 2020 through February 2022. The advisory says that the attackers have “maintained persistent access to multiple CDC networks” with the longest being for “at least six months.” They’ve used this access to exfiltrate both emails and data from these organizations.

Outside of the use of standard techniques (brute force, spear phishing emails), the threat actors have paired harvested credentials with known vulnerabilities to target public-facing applications including VPNs.

The following are a list of CVEs the threat actor has reportedly used:

CVEDescriptionCVSSv3VPR
CVE-2020-0688Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability8.89.8
CVE-2020-17144Microsoft Exchange Server Remote Code Execution Vulnerability8.49.9
CVE-2018-13379Fortinet FortiGate SSL VPN Path Traversal Vulnerability9.89.9

However, even if CDCs do patch known vulnerabilities within their networks, the threat actors will “alter their tradecraft” in an effort to regain access through “new means.” This is why these government agencies stress that CDCs “maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.”

In October 2020, CISA published an alert around Russian state-sponsored activity targeting the U.S. Government. In it, several of the vulnerabilities listed above are referenced. However, they also highlight CVE-2020-1472, dubbed “Zerologon,” a critical vulnerability in Microsoft’s Netlogon Protocol that is used as a post-exploitation vulnerability. Zerologon is a popular vulnerability among threat actors and ransomware groups, who often pair it with several of the initial access vulnerabilities in this blog post including several SSL-VPN vulnerabilities.

CVEDescriptionCVSSv3VPR
CVE-2020-1472Microsoft Netlogon Elevation of Privilege Vulnerability10.010.0

Defending Active Directory

For attackers, Active Directory is the holy grail for disrupting business operations, exfiltrating sensitive information and deploying malware across a network. Recognizing the importance of Active Directory, it is imperative that organizations are adequately prepared to defend against common techniques leveraged by these APT groups.

Once inside a network, these threat actors will map the environment’s AD in order to connect to domain controllers (DCs). The goal is to exfiltrate credentials from the network and export the ntds.dit AD database file. The threat actors have also been observed using the Mimikatz hacktool in order to “dump admin credentials” from DCs.

Securing users, groups, and computers that require privileges within AD should be a high priority. For example, privileged accounts that have certain attributes configured are susceptible to Kerberoasting, which can lead to impersonation or even Golden Ticket Attack.

Attackers are using these tactics to obtain domain level privileges within AD. Once they have domain level privileges, they will use Group Policy to distribute malware and ransomware. For instance, Ryuk ransomware is known for these tactics and they have also been leveraged recently by wiper malware.

Solution

Many of the vulnerabilities listed in these alerts are more than a year old and all have patches available. Organizations are strongly urged to find and patch any endpoints that are still vulnerable. In addition to listing vulnerabilities being targeted, the advisories include recommendations for preparing to defend against cyberattacks.

Organizations should also ensure that all passwords within AD are changed often and follow secure complexity and length suggestions to protect against password spray and password brute force attacks.

Identifying affected systems

A list of Tenable plugins to identify thesevulnerabilities can be found here.

A Scan template for Nessus, Tenable.io and Tenable.sc has been released and dashboards identifying the vulnerabilities listed in this blog post are in development and will be released shortly. We will update this blog post once the dashboards are available.

Conclusion

Although nations and organizations are being targeted, history has taught us that the digital impact is likely to be far-reaching. But this speculation shouldn’t detract from the obvious: there are steps you can take to protect yourself. Tenable is committed to doing our utmost to help organizations guard themselves in a world where we must acknowledge that digital threats will be a significant part of any conflict scenario.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.


Viewing all articles
Browse latest Browse all 1935

Trending Articles