Cyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous public disclosures of their attack methods, according to a new advisory jointly published by intelligence agencies from the U.K. and U.S. Friday.
"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders," the National Cyber Security Centre (NCSC) said.
These include the deployment of an open-source tool called Sliver to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.
The development follows the public attribution of SVR-linked actors to the SolarWinds supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.
The attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.
- CVE-2018-13379 - Fortinet FortiGate VPN
- CVE-2019-9670 - Synacor Zimbra Collaboration Suite
- CVE-2019-11510 - Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 - Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 - VMware Workspace ONE Access
"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example COVID-19 vaccine targeting in 2020," the NCSC said.
This was followed by a separate guidance on April 26 that shed more light on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.
Now according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to "rapidly" weaponize recently released public vulnerabilities that could enable initial access to their targets.
- CVE-2019-1653 - Cisco Small Business RV320 and RV325 Routers
- CVE-2019-2725 - Oracle WebLogic Server
- CVE-2019-7609 - Kibana
- CVE-2020-5902 - F5 Big-IP
- CVE-2020-14882 - Oracle WebLogic Server
- CVE-2021-21972 - VMware vSphere
- CVE-2021-26855 - Microsoft Exchange Server
"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage," the agency said.