Russian state-sponsored cyber actors targeting U.S. critical infrastructure
Russian state-sponsored cyber actors targeting U.S. critical infrastructure
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here
In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) revealed that Russian state-sponsored threat actors targeted U.S. defense contractors from January 2020 to February 2022. The threat actors exfiltrated sensitive data from small and large companies in the U.S. working on defense and intelligence contracts, including missile development, vehicle & aircraft and software development.
Threat actors gain initial access by using brute force to identify valid account credentials for domain and M365 accounts. Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources such as SharePoint pages user-profiles and user emails. They further used harvested credentials in conjunction with known vulnerabilities CVE-2020-0688 & CVE-2020-17144 in the Microsoft exchange server to escalate privileges and gain remote code execution (RCE) on the exposed applications. In addition, they have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrated credentials and export copies of the AD database “ntds.dit”. In multiple breaches, they maintained persistence for at least 6 months in the network continuously exfiltrating sensitive emails and data.
Organizations can mitigate the risk by following the recommendations: •Monitor the use of stolen credentials. •Keep all operating systems and software up to date. •Enable multifactor authentication (MFA) for all users, without exception. •
The Techniques commonly used by Russian cyber actor, APT28 are:
TA0043: Reconnaissance
TA0001: Initial Access
TA0004: Privilege Escalation
TA0005: Defense Evasion
TA0006: Credential Access
TA0007: Discovery
TA0009: Collection
TA0003: Persistence
TA0008: Lateral Movement
TA0011: Command and Control
T1027: Obfuscated Files or Information
T1133: External Remote Services
T1190: Exploit Public-Facing Application
T1083: File and Directory Discovery
T1482: Domain Trust Discovery
T1213.002: Data from Information Repositories: SharePoint
T1090.003: Proxy: Multi-hop Proxy
T1589.001: Gather Victim Identity Information: Credentials
T1003.003: OS Credential Dumping: NTDS
T1110.003: Brute Force: Password Spraying
T1566.002: Phishing: Spearphishing Link
T1078.002: Valid Accounts: Domain Accounts
T1078.004: Valid Accounts: Cloud Accounts
Actor Details
Vulnerability Details
References
