Russian hackers are still launching offensive cyberattacks against the US and its allies in efforts to steal information or lay the foundations for future operations, a joint alert by security and intelligence agencies has warned.
The advisory from the FBI, Department of Homeland Security and CISA warns that the Russian Foreign Intelligence Service (SVR) – also known by cybersecurity researchers as APT 29, the Dukes and CozyBear – continues to target organisations in efforts to gather intelligence.
US agencies, along with the UK's National Cyber Security Centre (NCSC), recently blamed the SVR for the SolarWinds supply chain attack, which saw hackers compromise the company's software updates process and gain access to systems at nine government agencies and about 100 private sector companies.
SEE: Network security policy (TechRepublic Premium)
And now organisations are being warned that Russian cyberattacks show no signs of slowing down, especially when it comes to targeting the networks of organisations involved with government, think tanks and information technology.
Cloud services including email and Microsoft Office 365 are being targeted in attacks.
"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations," warned the agency alert.
The alert details common techniques used in SVR operations, including password spraying, leveraging zero-day vulnerabilities and deploying malware.
Password spraying is when the attackers target weak passwords associated with admin accounts. These accounts are secured with common or weak passwords, including default usernames and passwords, providing cyber attackers with a relatively simple means of gaining access to poorly secured networks.
In many cases, the attackers will break into as many accounts as they can, only thinking about how they can be exploited later.
To defend against password-spraying attacks, the FBI and DHS recommend the mandatory use of multi-factor authentication across the network and to, where possible, enforce the use of strong passwords – particularly for administrator accounts. It's also recommended that access to remote administrative functions from IP addresses not owned by the organisations is prohibited.
Another common attack technique used by Kremlin-backed hackers is levering vulnerabilities in virtual private network (VPN) appliances that expose login credentials.
The alert uses the example of attackers exploiting CVE-2019-19781 – a vulnerability in Citrix Application Delivery Controller and Gateway – but it's one of several that have been exploited in cyberattacks in recent years, allowing attackers to secretly enter networks.
In each of these cases, the affected vendor has released a critical security patch – and in some cases these have been available for years – but organisations that don't apply the updates are still vulnerable to attacks.
The FBI, DoH and CISA also warn about attacks using WellMess – a form of custom malware associated with APT 29, which has been used in attacks targeting COVID-19 vaccine research facilities. While stolen RDP credentials have been used to help install the malware, it's also been known for attackers to attempt to distribute it via spear-phishing emails.
The alert on Russian hacking techniques has been released in order to encourage organisations to examine their networks and gain a better understanding of how to secure them against attacks.
"The FBI and DHS are providing information on the SVR's cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks," said the alert.
MORE ON CYBERSECURITY
- White House: Here's what we've learned from tackling the SolarWinds and Microsoft Exchange Server cyber incidents
- Most applications today are deployed with vulnerabilities, and many are never patched
- These software bugs are years old. But businesses still aren't patching them
- Congress confronts US cybersecurity weaknesses in wake of SolarWinds hacking campaign
- The FBI removed hacker backdoors from vulnerable Microsoft Exchange servers. Not everyone likes the idea