Russian SVR exploits another set of publicly known Vulnerabilities
Russian SVR exploits another set of publicly known Vulnerabilities
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here.
In accordance with the earlier Threat Advisory released by the Hive Pro threat research team, the Russian SVR aka APT29 continues exploitation of known vulnerabilities to target organizations globally. The threat actors have now expanded their TTPs using multiple publicly available exploit and the Silver framework. The new set of victims include sectors such as governments, think-tank, policy, and energy by deploying an open-source tool Silver which allows the SVR to gain persistence on compromised infrastructure.
The Techniques used by the APT29 includes:
- Active Scanning(T1595.002)
- Exploit PublicFacing Application(T1190)
- Supply Chain Compromise: Compromise Software Supply Chain(T1195.002)
- Trusted Relationship(T1199)
- Command and Scripting Interpreter: Visual Basic(T1059.005)
- Server Software Component: Web Shell(T1505.003)
- Valid Accounts(T1078)
The 7 vulnerabilities targeted are:
- CVE-2019-1653 – Cisco Small Business RV320 and RV325 Routers
- CVE-2019-2725 – Oracle WebLogic Server
- CVE-2019-7609 – Kibana
- CVE-2020-5902 – F5 Big-IP
- CVE-2020-14882 – Oracle WebLogic Server
- CVE-2021-21972 – VMware vSphere
- CVE-2021-26855 – Microsoft Exchange Server
Actor Details
Name: APT 29 Known as: Cozy Bear, The Dukes, Group 100, Yttrium, Iron Hemlock, Minidionis, CloudLook, Grizzly Steppe, CozyCar, CozyDuke Origin: Russia Targeted Locations: Austria, Brazil, China, France, Germany, Hungary, Japan, Mexico, Netherlands, New Zealand, Norway, Portugal, South Korea, Spain, Turkey, Ukraine, United States, Uzbekistan Targeted Sectors: Academic, Aerospace, Energy, Extractive, Financial Services, Government, Industrials, Engineering, Insurance, Media, NGOs, Nonprofits Oil and Gas, Pharmaceuticals, Technology
Vulnerability Details
For details, please refer to the pdf version of the advisory here
Patch Links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 https://support.f5.com/csp/article/K52145254 https://www.oracle.com/security-alerts/cpuoct2020.html https://www.vmware.com/security/advisories/VMSA-2021-0002.html https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855