Russian SVR exploits another set of publicly known Vulnerabilities

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

In accordance with the earlier Threat Advisory released by the Hive Pro threat research team, the Russian SVR aka APT29  continues exploitation of known vulnerabilities to target organizations globally. The threat actors have now expanded their TTPs using multiple publicly available exploit and the Silver framework. The new set of victims include sectors such as governments, think-tank, policy, and energy  by deploying an open-source tool Silver which allows the SVR to gain persistence on compromised infrastructure.

The Techniques used by the APT29 includes:

• Active Scanning(T1595.002)
• Exploit PublicFacing Application(T1190)
• Supply Chain Compromise: Compromise Software Supply Chain(T1195.002)
• Trusted Relationship(T1199)
• Command and Scripting Interpreter: Visual Basic(T1059.005)
• Server Software Component: Web Shell(T1505.003)
• Valid Accounts(T1078)

The 7 vulnerabilities targeted are:

• CVE-2019-1653 – Cisco Small Business RV320 and RV325 Routers
• CVE-2019-2725 – Oracle WebLogic Server
• CVE-2019-7609 – Kibana
• CVE-2020-5902 – F5 Big-IP
• CVE-2020-14882 – Oracle WebLogic Server
• CVE-2021-21972 – VMware vSphere
• CVE-2021-26855 – Microsoft Exchange Server

Actor Details

Name: APT 29 
Known as: Cozy Bear, The Dukes, Group 100, Yttrium, Iron Hemlock, Minidionis, CloudLook, Grizzly Steppe, CozyCar, CozyDuke 
Origin: Russia
Targeted Locations: Austria, Brazil, China, France, Germany, Hungary, Japan, Mexico, Netherlands, New Zealand, Norway, Portugal, South Korea, Spain, Turkey, Ukraine, United States, Uzbekistan
Targeted Sectors: Academic, Aerospace, Energy, Extractive, Financial Services, Government, Industrials, Engineering, Insurance, Media, NGOs, Nonprofits Oil and Gas, Pharmaceuticals, Technology

Vulnerability Details

For details, please refer to the pdf version of the advisory here

Patch Links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 
https://support.f5.com/csp/article/K52145254
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855

References

• https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf

• https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html

• https://nvd.nist.gov/vuln/detail/CVE-2021-26855

• https://nvd.nist.gov/vuln/detail/CVE-2020-14882

• https://nvd.nist.gov/vuln/detail/CVE-2020-5902

• https://nvd.nist.gov/vuln/detail/CVE-2019-7609

• https://nvd.nist.gov/vuln/detail/CVE-2019-2725

• https://nvd.nist.gov/vuln/detail/CVE-2019-1653

• https://nvd.nist.gov/vuln/detail/CVE-2021-21972