U.S. intelligence agencies jointly released on Thursday a cybersecurity advisory that alleges ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisory is being released alongside the U.S. Government’s formal attribution of the SolarWinds supply chain compromise and related cyber-espionage campaign.
In the advisory, “Russian SVR Targets U.S. and Allied Networks,” the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) encouraged cybersecurity stakeholders to check their networks for indicators of compromise related to five vulnerabilities, and the techniques detailed in the advisory, and to urgently implement associated mitigations. The agencies also recognize all partners in the private and public sectors for their comprehensive and collaborative efforts to respond to recent Russian activity in cyberspace.
Russian SVR actors, also known as APT29, Cozy Bear, and The Dukes, used publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access, according to a U.S. government released executive summary. The targeting and exploitation surrounds U.S. and allied networks, including national security and government-related systems.
The SVR has exploited and continues to exploit, software vulnerabilities to gain initial footholds into victim devices and networks, including equipment and software from Fortinet, Zimbra, Pulse Secure, Citrix and VMware, the summary added.
Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse, the summary pointed out. The SVR hackers also used authentication abuse tactics following SolarWinds-based breaches.
Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors, the advisory said.
In addition to compromising the SolarWinds Orion software supply chain, recent SVR activities include targeting COVID-19 research facilities via WellMess malware and targeting networks through the VMware vulnerability disclosed by NSA. This was highlighted in NSA’s Cybersecurity Advisory, “Russian State-Sponsored Actors Exploiting Vulnerability in Workspace ONE Access Using Compromised Credentials.”
On Thursday, the CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) analyzed additional SolarWinds-related malware variants, referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection.
The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated. The U.S. government also attributes this activity to the Russian SVR.
The cyber incident began in December when the CISA issued Emergency Directive 21-01, following a known compromise affecting SolarWinds Orion products. The agency advised immediate disconnection of the affected devices, which were exploited by malicious hackers. U.S. security agencies have been tracking, assessing, and mitigating the SolarWinds supply chain cyber incident, which was likely caused by an APT hacker, who may be deeply burrowed in compromised networks, and whose full eviction will be costly, highly challenging, and complex.
In January, U.S. security agencies set up a task force, known as the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from the NSA, to coordinate the investigation and remediation of the impact of the supply chain cyber incident. At the time, the opinion was that the APT attacker was likely Russian in origin and responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.
The hackers targeted and gained persistent, invasive access to select organizations’ enterprise networks, their federated identity solutions, and their Active Directory or Microsoft 365 environments. In the case of Microsoft cloud systems — Azure Active Directory (AD) and Microsoft 365 environments, the hacker was able to exploit privileged access to collect and exfiltrate sensitive data and created backdoors to enable their return.
“In the future, we can expect more disruptive events that leverage ransomware and supply chain attacks,” Roark Pollock, Mission Secure’s chief marketing officer, wrote in a company blog post. “These will likely evolve into more sophisticated sequenced or staged events that can compromise the integrity of process data in such a way as to ensure more significant damage to physical systems. Attackers are working on removing or disabling process protection and safety systems within ICS networks to further these goals,” he added.