Read Time:7 Minute, 17 Second

Government agencies publish warnings and guidance for organizations to defend themselves against advanced persistent threat groups.

As governments around the world call for heightened cyber vigilance, the reality of our digital world comes into stark relief: there are no boundaries when it comes to the potential damage that can be inflicted as a result of nation-state conflicts. The tactical information shared in this blog is designed to help you prepare your digital response to these rapidly unfolding events.

Background

Jen Easterly, director of the Cyber Security and Infrastructure Security Agency (CISA), recently tweeted that, despite no specific credible threats against organizations in the United States by Russian state-sponsored activity, these advanced persistent threat (APT) groups have historically targeted organizations through a variety of means, including exploiting vulnerabilities in perimeter devices and utilizing Active Directory (AD) for lateral movement. CISA has called for every organization to “adopt a heighted posture of vigilance.”

🛡ALL organizations must adopt a heightened posture of vigilance. The time to act is NOW. We’re urging all orgs to put #ShieldsUp to:
– Reduce the likelihood of a cyber intrusion
– Quickly detect a potential intrusion
– Ensure you’re prepared to respond
– Maximize resilience 3/4

— Jen Easterly (@CISAJen) February 12, 2022

CISA announced Shields Up, an initiative to empower organizations and provide guidance on how to limit the exposure to common attack paths leveraged by these APT groups.

Analysis

In recent months, CISA has also issued joint advisories regarding specific vulnerabilities targeted by these APT groups and the steps organizations can take to mitigate their risks of exploitation. Both the U.K. National Cyber Security Centre and Australia Cyber Security Centre have released advisories on this subject as well.

In January, CISA, the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) issued a joint cybersecurity alert regarding “Russian Cyber Threats to U.S. Critical Infrastructure.” This alert focuses on observed behavior from Russian state-sponsored threat groups targeting critical infrastructure organizations in several countries. The alert highlights the following sectors as key targets for the APT groups: defense industrial base, healthcare and public health, energy, telecommunications and government facilities.

According to the advisory, the following vulnerabilities have been used in these attacks to gain initial access:

CVE
Description
CVSSv3
VPR*

CVE-2018-13379
Fortinet FortiGate SSL VPN Path Traversal Vulnerability
9.8
9.9

CVE-2019-1653
Cisco Small Business Routers Information Disclosure
9.8
7.2

CVE-2019-2725
Oracle Weblogic Server Deserialization Vulnerability
9.8
9.2

CVE-2019-7609
Kibana Arbitrary Code Execution
10.0
9.2

CVE-2019-9670
Zimbra Software XML External Entity Injection Vulnerability
9.8
9.2

CVE-2019-10149
Exim Simple Mail Transfer Protocol Remote Code Execution
9.8
9.7

CVE-2019-11510
Pulse Connect Secure Arbitrary File Read
10.0
10.0

CVE-2019-19781
Citrix ADC And Gateway Directory Traversal Vulnerability
9.8
9.8

CVE-2020-0688
Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability
8.8
9.8

CVE-2020-4006
VMware Workspace One Command Injection
9.1
10.0

CVE-2020-5902
F5 BIG-IP Remote Code Execution
9.8
9.7

CVE-2020-14882
Oracle WebLogic Remote Code Execution
9.8
9.8

CVE-2021-26855
Microsoft Exchange Server Remote Code Execution
9.8
9.9

CVE-2021-26857
Microsoft Exchange Server Remote Code Execution
7.8
9.8

CVE-2021-26858
Microsoft Exchange Server Remote Code Execution
7.8
9.8

CVE-2021-27065
Microsoft Exchange Server Remote Code Execution
7.8
9.9

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on February 24 and reflects VPR at that time.

On February 16, CISA published a joint cybersecurity advisory along with the FBI, NSA regarding the “regular targeting” of United States cleared defense contractors (CDCs). According to the advisory, the attacks originate from state-sponsored threat actors in Russia. The targets of the attacks include both large and small CDCs, as well as subcontractors. These CDCs are being targeted because of existing contracts they hold with the United States Department of Defense (DoD) and Intelligence Community.

The targeting activity spans from January 2020 through February 2022. The advisory says that the attackers have “maintained persistent access to multiple CDC networks” with the longest being for “at least six months.” They’ve used this access to exfiltrate both emails and data from these organizations.

Outside of the use of standard techniques (brute force, spear phishing emails), the threat actors have paired harvested credentials with known vulnerabilities to target public-facing applications including VPNs.

The following are a list of CVEs the threat actor has reportedly used:

CVE
Description
CVSSv3
VPR

CVE-2020-0688
Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability
8.8
9.8

CVE-2020-17144
Microsoft Exchange Server Remote Code Execution Vulnerability
8.4
9.9

CVE-2018-13379
Fortinet FortiGate SSL VPN Path Traversal Vulnerability
9.8
9.9

However, even if CDCs do patch known vulnerabilities within their networks, the threat actors will “alter their tradecraft” in an effort to regain access through “new means.” This is why these government agencies stress that CDCs “maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.”

In October 2020, CISA published an alert around Russian state-sponsored activity targeting the U.S. Government. In it, several of the vulnerabilities listed above are referenced. However, they also highlight CVE-2020-1472, dubbed “Zerologon,” a critical vulnerability in Microsoft’s Netlogon Protocol that is used as a post-exploitation vulnerability. Zerologon is a popular vulnerability among threat actors and ransomware groups, who often pair it with several of the initial access vulnerabilities in this blog post including several SSL-VPN vulnerabilities.

CVE
Description
CVSSv3
VPR

CVE-2020-1472
Microsoft Netlogon Elevation of Privilege Vulnerability
10.0
10.0

Defending Active Directory

For attackers, Active Directory is the holy grail for disrupting business operations, exfiltrating sensitive information and deploying malware across a network. Recognizing the importance of Active Directory, it is imperative that organizations are adequately prepared to defend against common techniques leveraged by these APT groups.

Once inside a network, these threat actors will map the environment’s AD in order to connect to domain controllers (DCs). The goal is to exfiltrate credentials from the network and export the ntds.dit AD database file. The threat actors have also been observed using the Mimikatz hacktool in order to “dump admin credentials” from DCs.

Securing users, groups, and computers that require privileges within AD should be a high priority. For example, privileged accounts that have certain attributes configured are susceptible to Kerberoasting, which can lead to impersonation or even Golden Ticket Attack.

Attackers are using these tactics to obtain domain level privileges within AD. Once they have domain level privileges, they will use Group Policy to distribute malware and ransomware. For instance, Ryuk ransomware is known for these tactics and they have also been leveraged recently by wiper malware.

Solution

Many of the vulnerabilities listed in these alerts are more than a year old and all have patches available. Organizations are strongly urged to find and patch any endpoints that are still vulnerable. In addition to listing vulnerabilities being targeted, the advisories include recommendations for preparing to defend against cyberattacks.

Organizations should also ensure that all passwords within AD are changed often and follow secure complexity and length suggestions to protect against password spray and password brute force attacks.

Identifying affected systems

A list of Tenable plugins to identify thesevulnerabilities can be found here.

A scan template and dashboard identifying the vulnerabilities listed in this blog post for Nessus, Tenable.io and Tenable.sc are in development. We will update this blog post once they are available.

Conclusion

Although nations and organizations are being targeted, history has taught us that the digital impact is likely to be far-reaching. But this speculation shouldn’t detract from the obvious: there are steps you can take to protect yourself. Tenable is committed to doing our utmost to help organizations guard themselves in a world where we must acknowledge that digital threats will be a significant part of any conflict scenario.

Get more information

CISA Advisory: Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology
CISA Advisory: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
Blog Post: Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More