Government agencies publish warnings and guidance for organizations to defend themselves against advanced persistent threat groups.
Update February 25: The Identifying affected systems section has been updated to announce the availability of scan templates for the vulnerabilities discussed in this blog.
As governments around the world call for heightened cyber vigilance, the reality of our digital world comes into stark relief: there are no boundaries when it comes to the potential damage that can be inflicted as a result of nation-state conflicts. The tactical information shared in this blog is designed to help you prepare your digital response to these rapidly unfolding events.
Background
Jen Easterly, director of the Cyber Security and Infrastructure Security Agency (CISA), recently tweeted that, despite no specific credible threats against organizations in the United States by Russian state-sponsored activity, these advanced persistent threat (APT) groups have historically targeted organizations through a variety of means, including exploiting vulnerabilities in perimeter devices and utilizing Active Directory (AD) for lateral movement. CISA has called for every organization to “adopt a heighted posture of vigilance.”
CISA announced Shields Up, an initiative to empower organizations and provide guidance on how to limit the exposure to common attack paths leveraged by these APT groups.
Analysis
In recent months, CISA has also issued joint advisories regarding specific vulnerabilities targeted by these APT groups and the steps organizations can take to mitigate their risks of exploitation. Both the U.K. National Cyber Security Centre and Australia Cyber Security Centre have released advisories on this subject as well.
In January, CISA, the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) issued a joint cybersecurity alert regarding “Russian Cyber Threats to U.S. Critical Infrastructure.” This alert focuses on observed behavior from Russian state-sponsored threat groups targeting critical infrastructure organizations in several countries. The alert highlights the following sectors as key targets for the APT groups: defense industrial base, healthcare and public health, energy, telecommunications and government facilities.
According to the advisory, the following vulnerabilities have been used in these attacks to gain initial access:
| CVE | Description | CVSSv3 | VPR* |
|---|---|---|---|
| CVE-2018-13379 | Fortinet FortiGate SSL VPN Path Traversal Vulnerability | 9.8 | 9.9 |
| CVE-2019-1653 | Cisco Small Business Routers Information Disclosure | 9.8 | 7.2 |
| CVE-2019-2725 | Oracle Weblogic Server Deserialization Vulnerability | 9.8 | 9.2 |
| CVE-2019-7609 | Kibana Arbitrary Code Execution | 10.0 | 9.2 |
| CVE-2019-9670 | Zimbra Software XML External Entity Injection Vulnerability | 9.8 | 9.2 |
| CVE-2019-10149 | Exim Simple Mail Transfer Protocol Remote Code Execution | 9.8 | 9.7 |
| CVE-2019-11510 | Pulse Connect Secure Arbitrary File Read | 10.0 | 10.0 |
| CVE-2019-19781 | Citrix ADC And Gateway Directory Traversal Vulnerability | 9.8 | 9.8 |
| CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | 8.8 | 9.8 |
| CVE-2020-4006 | VMware Workspace One Command Injection | 9.1 | 10.0 |
| CVE-2020-5902 | F5 BIG-IP Remote Code Execution | 9.8 | 9.7 |
| CVE-2020-14882 | Oracle WebLogic Remote Code Execution | 9.8 | 9.8 |
| CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution | 9.8 | 9.9 |
| CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution | 7.8 | 9.8 |
| CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution | 7.8 | 9.8 |
| CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution | 7.8 | 9.9 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on February 24 and reflects VPR at that time.
On February 16, CISA published a joint cybersecurity advisory along with the FBI, NSA regarding the “regular targeting” of United States cleared defense contractors (CDCs). According to the advisory, the attacks originate from state-sponsored threat actors in Russia. The targets of the attacks include both large and small CDCs, as well as subcontractors. These CDCs are being targeted because of existing contracts they hold with the United States Department of Defense (DoD) and Intelligence Community.
The targeting activity spans from January 2020 through February 2022. The advisory says that the attackers have “maintained persistent access to multiple CDC networks” with the longest being for “at least six months.” They’ve used this access to exfiltrate both emails and data from these organizations.
Outside of the use of standard techniques (brute force, spear phishing emails), the threat actors have paired harvested credentials with known vulnerabilities to target public-facing applications including VPNs.
The following are a list of CVEs the threat actor has reportedly used:
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | 8.8 | 9.8 |
| CVE-2020-17144 | Microsoft Exchange Server Remote Code Execution Vulnerability | 8.4 | 9.9 |
| CVE-2018-13379 | Fortinet FortiGate SSL VPN Path Traversal Vulnerability | 9.8 | 9.9 |
However, even if CDCs do patch known vulnerabilities within their networks, the threat actors will “alter their tradecraft” in an effort to regain access through “new means.” This is why these government agencies stress that CDCs “maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.”
In October 2020, CISA published an alert around Russian state-sponsored activity targeting the U.S. Government. In it, several of the vulnerabilities listed above are referenced. However, they also highlight CVE-2020-1472, dubbed “Zerologon,” a critical vulnerability in Microsoft’s Netlogon Protocol that is used as a post-exploitation vulnerability. Zerologon is a popular vulnerability among threat actors and ransomware groups, who often pair it with several of the initial access vulnerabilities in this blog post including several SSL-VPN vulnerabilities.
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2020-1472 | Microsoft Netlogon Elevation of Privilege Vulnerability | 10.0 | 10.0 |
Defending Active Directory
For attackers, Active Directory is the holy grail for disrupting business operations, exfiltrating sensitive information and deploying malware across a network. Recognizing the importance of Active Directory, it is imperative that organizations are adequately prepared to defend against common techniques leveraged by these APT groups.
Once inside a network, these threat actors will map the environment’s AD in order to connect to domain controllers (DCs). The goal is to exfiltrate credentials from the network and export the ntds.dit AD database file. The threat actors have also been observed using the Mimikatz hacktool in order to “dump admin credentials” from DCs.
Securing users, groups, and computers that require privileges within AD should be a high priority. For example, privileged accounts that have certain attributes configured are susceptible to Kerberoasting, which can lead to impersonation or even Golden Ticket Attack.
Attackers are using these tactics to obtain domain level privileges within AD. Once they have domain level privileges, they will use Group Policy to distribute malware and ransomware. For instance, Ryuk ransomware is known for these tactics and they have also been leveraged recently by wiper malware.
Solution
Many of the vulnerabilities listed in these alerts are more than a year old and all have patches available. Organizations are strongly urged to find and patch any endpoints that are still vulnerable. In addition to listing vulnerabilities being targeted, the advisories include recommendations for preparing to defend against cyberattacks.
Organizations should also ensure that all passwords within AD are changed often and follow secure complexity and length suggestions to protect against password spray and password brute force attacks.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found here.
A Scan template for Nessus, Tenable.io and Tenable.sc has been released as well as Tenable.sc and Tenable.io dashboardswhich can be used to identify the vulnerabilities listed in this blog post.
Conclusion
Although nations and organizations are being targeted, history has taught us that the digital impact is likely to be far-reaching. But this speculation shouldn’t detract from the obvious: there are steps you can take to protect yourself. Tenable is committed to doing our utmost to help organizations guard themselves in a world where we must acknowledge that digital threats will be a significant part of any conflict scenario.
Source: Tenable