Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine

Government agencies publish warnings and guidance for organizations to defend themselves against advanced persistent threat groups.

As governments around the world call for heightened cyber vigilance, the reality of our digital world comes into stark relief: there are no boundaries when it comes to the potential damage that can be inflicted as a result of nation-state conflicts. The tactical information shared in this blog is designed to help you prepare your digital response to these rapidly unfolding events.

Update February 25: The Identifying affected systems section has been updated to announce the availability of scan templates for the vulnerabilities discussed in this blog.

Background

Jen Easterly, director of the Cyber Security and Infrastructure Security Agency (CISA), recently tweeted that, despite no specific credible threats against organizations in the United States by Russian state-sponsored activity, these advanced persistent threat (APT) groups have historically targeted organizations through a variety of means, including exploiting vulnerabilities in perimeter devices and utilizing Active Directory (AD) for lateral movement. CISA has called for every organization to “adopt a heighted posture of vigilance.”

CISA announced Shields Up, an initiative to empower organizations and provide guidance on how to limit the exposure to common attack paths leveraged by these APT groups.

Analysis

In recent months, CISA has also issued joint advisories regarding specific vulnerabilities targeted by these APT groups and the steps organizations can take to mitigate their risks of exploitation. Both the U.K. National Cyber Security Centre and Australia Cyber Security Centre have released advisories on this subject as well.

In January, CISA, the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) issued a joint cybersecurity alert regarding “Russian Cyber Threats to U.S. Critical Infrastructure.” This alert focuses on observed behavior from Russian state-sponsored threat groups targeting critical infrastructure organizations in several countries. The alert highlights the following sectors as key targets for the APT groups: defense industrial base, healthcare and public health, energy, telecommunications and government facilities.

According to the advisory, the following vulnerabilities have been used in these attacks to gain initial access:

CVE Description CVSSv3 VPR*
CVE-2018-13379 Fortinet FortiGate SSL VPN Path Traversal Vulnerability 9.8 9.9
CVE-2019-1653 Cisco Small Business Routers Information Disclosure 9.8 7.2
CVE-2019-2725 Oracle Weblogic Server Deserialization Vulnerability 9.8 9.2
CVE-2019-7609 Kibana Arbitrary Code Execution 10.0 9.2
CVE-2019-9670 Zimbra Software XML External Entity Injection Vulnerability 9.8 9.2
CVE-2019-10149 Exim Simple Mail Transfer Protocol Remote Code Execution 9.8 9.7
CVE-2019-11510 Pulse Connect Secure Arbitrary File Read 10.0 10.0
CVE-2019-19781 Citrix ADC And Gateway Directory Traversal Vulnerability 9.8 9.8
CVE-2020-0688 Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability 8.8 9.8
CVE-2020-4006 VMware Workspace One Command Injection 9.1 10.0
CVE-2020-5902 F5 BIG-IP Remote Code Execution 9.8 9.7
CVE-2020-14882 Oracle WebLogic Remote Code Execution 9.8 9.8
CVE-2021-26855 Microsoft Exchange Server Remote Code Execution 9.8 9.9
CVE-2021-26857 Microsoft Exchange Server Remote Code Execution 7.8 9.8
CVE-2021-26858 Microsoft Exchange Server Remote Code Execution 7.8 9.8
CVE-2021-27065 Microsoft Exchange Server Remote Code Execution 7.8 9.9

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on February 24 and reflects VPR at that time.

On February 16, CISA published a joint cybersecurity advisory along with the FBI, NSA regarding the “regular targeting” of United States cleared defense contractors (CDCs). According to the advisory, the attacks originate from state-sponsored threat actors in Russia. The targets of the attacks include both large and small CDCs, as well as subcontractors. These CDCs are being targeted because of existing contracts they hold with the United States Department of Defense (DoD) and Intelligence Community.

The targeting activity spans from January 2020 through February 2022. The advisory says that the attackers have “maintained persistent access to multiple CDC networks” with the longest being for “at least six months.” They’ve used this access to exfiltrate both emails and data from these organizations.

Outside of the use of standard techniques (brute force, spear phishing emails), the threat actors have paired harvested credentials with known vulnerabilities to target public-facing applications including VPNs.

The following are a list of CVEs the threat actor has reportedly used:

CVE Description CVSSv3 VPR
CVE-2020-0688 Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability 8.8 9.8
CVE-2020-17144 Microsoft Exchange Server Remote Code Execution Vulnerability 8.4 9.9
CVE-2018-13379 Fortinet FortiGate SSL VPN Path Traversal Vulnerability 9.8 9.9

However, even if CDCs do patch known vulnerabilities within their networks, the threat actors will “alter their tradecraft” in an effort to regain access through “new means.” This is why these government agencies stress that CDCs “maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.”

In October 2020, CISA published an alert around Russian state-sponsored activity targeting the U.S. Government. In it, several of the vulnerabilities listed above are referenced. However, they also highlight CVE-2020-1472, dubbed “Zerologon,” a critical vulnerability in Microsoft’s Netlogon Protocol that is used as a post-exploitation vulnerability. Zerologon is a popular vulnerability among threat actors and ransomware groups, who often pair it with several of the initial access vulnerabilities in this blog post including several SSL-VPN vulnerabilities.

CVE Description CVSSv3 VPR
CVE-2020-1472 Microsoft Netlogon Elevation of Privilege Vulnerability 10.0 10.0

Defending Active Directory

For attackers, Active Directory is the holy grail for disrupting business operations, exfiltrating sensitive information and deploying malware across a network. Recognizing the importance of Active Directory, it is imperative that organizations are adequately prepared to defend against common techniques leveraged by these APT groups.

Once inside a network, these threat actors will map the environment’s AD in order to connect to domain controllers (DCs). The goal is to exfiltrate credentials from the network and export the ntds.dit AD database file. The threat actors have also been observed using the Mimikatz hacktool in order to “dump admin credentials” from DCs.

Securing users, groups, and computers that require privileges within AD should be a high priority. For example, privileged accounts that have certain attributes configured are susceptible to Kerberoasting, which can lead to impersonation or even Golden Ticket Attack.

Attackers are using these tactics to obtain domain level privileges within AD. Once they have domain level privileges, they will use Group Policy to distribute malware and ransomware. For instance, Ryuk ransomware is known for these tactics and they have also been leveraged recently by wiper malware.

Solution

Many of the vulnerabilities listed in these alerts are more than a year old and all have patches available. Organizations are strongly urged to find and patch any endpoints that are still vulnerable. In addition to listing vulnerabilities being targeted, the advisories include recommendations for preparing to defend against cyberattacks.

Organizations should also ensure that all passwords within AD are changed often and follow secure complexity and length suggestions to protect against password spray and password brute force attacks.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

A Scan template for Nessus, Tenable.io and Tenable.sc has been released as well as Tenable.sc and Tenable.io dashboards which can be used to identify the vulnerabilities listed in this blog post.

Conclusion

Although nations and organizations are being targeted, history has taught us that the digital impact is likely to be far-reaching. But this speculation shouldn’t detract from the obvious: there are steps you can take to protect yourself. Tenable is committed to doing our utmost to help organizations guard themselves in a world where we must acknowledge that digital threats will be a significant part of any conflict scenario.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.