The UK’s Nationwide Cyber Safety Centre (NCSC), alongside companions on the US’s Cybersecurity and Infrastructure Safety Company (CISA) and the FBI have revealed a brand new advisory detailing strategies, techniques and procedures (TTPs) being utilized by the Russian intelligence-linked APT29 group, aka Cozy Bear.
The advisory covers numerous TTPs that the businesses perceive the SVR – Russia’s overseas intelligence company – to make use of, and builds on the UK’s and the US’s latest attribution of the large-scale SolarWinds-linked assaults, in addition to warnings issued final yr over its use of two new malwares, WellMess and WellMail, in opposition to organisations engaged on Covid-19 vaccines.
“The SVR is Russia’s civilian overseas intelligence service,” stated the NCSC. “The group makes use of a wide range of instruments and strategies to predominantly goal abroad governmental, diplomatic, think-tank, healthcare and vitality targets globally for intelligence achieve.
“The SVR is a technologically subtle and extremely succesful cyber actor. It has developed capabilities to focus on organisations globally, together with within the UK, the US, Europe, Nato member states and Russia’s neighbours.”
Within the wake of final summer season’s report on its focusing on of vaccine analysis, Cozy Bear now appears to have pivoted to utilizing numerous new TTPs, in a seemingly try and keep away from additional detection and remediation, stated the NCSC. Amongst different issues, the group has enthusiastically taken up the usage of Sliver, an open-source, cross-platform adversary simulation/crimson crew platform.
“Using the Sliver framework was seemingly an try to make sure entry to numerous the prevailing WellMess and WellMail victims was maintained following the publicity of these capabilities,” stated the NCSC. “As noticed with the SolarWinds incidents, SVR operators usually used separate command and management infrastructure for every sufferer of Sliver.”
It is usually extra incessantly – and rapidly – making use of newly disclosed vulnerabilities. Western intelligence now believes Cozy Bear is among the many teams exploiting the broadly reported and harmful Microsoft Alternate Server ProxyLogon vulnerabilities. It has additionally been noticed exploiting frequent vulnerabilities in merchandise from Fortinet, Cisco, Oracle, Zimbra, Pulse Safe, Citrix, Kibana and F5 Networks – a few of which date again greater than three years.
The NCSC stated the group’s latest actions clearly show that managing and making use of safety updates as a precedence would vastly assist to cut back the assault floor that Cozy Bear can benefit from.
It additionally reiterated its common recommendation that regardless of the advanced and hard-to-spot nature of provide chain assaults (such because the SolarWinds incident), following fundamental cyber safety ideas, implementing community safety controls and successfully managing consumer privileges will assist to arrest lateral motion between hosts ought to an actor reminiscent of Cozy Bear make it onto an organisation’s community, and restrict the effectiveness of its assaults.