A joint cybersecurity advisory from the FBI, NSA, and UK’s NCSC highlights the vulnerabilities being actively exploited by Russian SVR (Sluzhba Vneshney Razvedki) cyber actors.
These highly capable attackers, known as APT29 or Cozy Bear, are focusing on several software vulnerabilities to gain unauthorized access and escalate privileges in networks. SVR’s techniques target entities in government, technology, and defense sectors, posing a substantial threat worldwide. Users and organizations should prioritize patching and mitigating the vulnerabilities outlined in the advisory to protect their networks from compromise.
According to the advisory, the SVR cyber group has been exploiting several vulnerabilities since 2021, targeting both “targets of intent” (such as government and defense contractors) and “targets of opportunity” (entities with internet-facing vulnerabilities).
They have leveraged known CVEs to gain initial access to networks, conduct spear-phishing campaigns, and move laterally across compromised systems. Their tools and techniques often involve spearphishing, password spraying, and exploiting supply chain relationships.
Key vulnerabilities being exploited include:
- CVE-2022-27924 (Zimbra Mail Servers): This command injection vulnerability allows attackers to access user credentials and mailboxes without interaction from the victim. It was exploited across hundreds of domains worldwide.
- CVE-2023-42793 (JetBrains TeamCity): Exploited since September 2023, this authentication bypass allows remote attackers to execute arbitrary code, targeting software development firms and other sectors.
- CVE-2023-20198 (Cisco IOS XE): A privilege escalation vulnerability allowing attackers to create local user accounts with administrative privileges.
- CVE-2023-4911 (GNU C Library): A buffer overflow vulnerability that could allow local attackers to execute code with elevated privileges.
- CVE-2023-38545/38546 (Libcurl): These vulnerabilities involve buffer overflows and missing authorization, affecting services that use the libcurl library.
Additionally, vulnerabilities affecting major platforms such as Android, Bluetooth devices, Supermicro hardware, and Microsoft Exchange Server are also being targeted. These vulnerabilities can lead to remote code execution, privilege escalation, and even man-in-the-middle attacks, which compromise communications and data.
What users should do
To defend against these threats, network defenders are urged to:
- Prioritize the deployment of vendor security patches for the CVEs listed, especially those affecting widely-used services like Cisco, Zimbra, and Microsoft.
- Reduce attack surfaces by disabling internet-facing services that are unnecessary or removing obsolete software from workstations.
- Enforce multi-factor authentication across all accounts, particularly those with administrative access.
- Regularly review cloud-based accounts for suspicious activities, especially those with administrative access.
- Limit token lifetimes and monitor for signs of token reuse which could indicate compromised sessions or accounts.
- Actively search for signs of compromise in your networks, such as abnormal activity from authorized devices or unexpected registrations.
SVR’s tactics of exploiting public vulnerabilities, paired with their ability to remain stealthy by using proxies and cloud misconfigurations, present a persistent and evolving threat. Organizations must act quickly to apply the latest patches and harden their systems against these advanced cyber-espionage operations.
Telekopye Scam Kit Now Targets Booking.com and Airbnb Users
Leave a Reply