Image source: Shutterstock
Recent flaws that the state-affiliated actor has exploited widely include CVE-2023-42793 in JetBrains TeamCity and CVE-2022-27924 in Zimbra.
The FBI in collaboration with the National Security Agency, Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) has released a list of 24 vulnerabilities that Russia’s APT29 (aka Midnight Blizzard/Nobelium, Cozy Bear, Dukes) has used already or could use in future attacks.
The authoring agencies compiled the list based on an assessment of the group’s previous targeting and observed tactics, techniques and procedures (TTPs). The list includes vulnerabilities in products from Microsoft, Cisco, Qualcomm, Citrix, Zimbra, JetBrains and Ivanti that the threat actor could use for privilege escalation, initial access and remote code execution.
Examples of vulnerabilities in the list include: CVE-2023-20198, a privilege escalation vulnerability in Cisco IOS; CVE-2022-40507, a memory corruption issue in Qualcomm; CVE-2023-36745 an RCE in Microsoft Exchange Server; CVE-2023-4966 (Citrix Bleed) a buffer overflow in NetScaler and NetScaler Gateway; CVE-2023-37580, a cross-site scripting error in Zimbra Collaboration Suite and CVE-2023-35078, an authentication bypass in Ivanti endpoint manager mobile.
Russia-linked: The US government and several security vendors have formally linked APT29 to Russia’s Foreign Intelligence Service (SVR) and have described the group as presenting a sophisticated threat to both government and private sector organizations. They believe its primary mission is to conduct cyber espionage on entities in the defense, technology and finance sectors and to collect information for future attacks, including those in support of its invasion of Ukraine.
“The authoring agencies are releasing this [advisory] to warn network defenders that SVR cyber actors are highly capable of and interested in exploiting software vulnerabilities for initial access [and escalation of privileges,” the FBI said on its Internet Crime Complaint Center (IC3) site. “Organizations should prioritize rapid patch deployment and keep software up to date.”
Here are some other takeaways from the advisory:
- Vulnerabilities that APT29/SVR has exploited on a mass scale include: CVE-2022-27924 a command injection vulnerability in Zimbra Collaboration that the threat actors exploited at hundreds of organizations worldwide to access user credentials and mailboxes without any user interactions and CVE-2023-42793 a authentication bypass vulnerability in JetBrains TeamCity that enabled remote code execution.
- SVR’s targets include both intended victims and victims of opportunity. So, even if an organization might not be in an industry sector that is of specific interest to the threat group, they could still become a victim.
- The group’s targets include government and diplomatic entities, technology companies, think tanks, international organizations, and defense contractors.
- APT29’s opportunistic victims have included organizations with vulnerable Internet-accessible infrastructure, system misconfigurations and/or weak access and authentication controls. As the advisory noted: “The SVR takes advantage of opportunistic victims to host malicious infrastructure, conduct follow-on operations from compromised accounts, or to attempt to pivot to other networks.”
- The recommendations of the authoring agencies include patching quickly; disabling or removing unused or unnecessary Internet-facing services, applications and utilities; performing continuous threat hunting; network segmentation; enabling MFA; and enabling logging for all Internet-facing functions and authentication services.