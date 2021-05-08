



The Russian hacker group behind the historic SolarWinds intrusion that affected nine federal agencies continues to adjust tactics in accordance with government recommendations, warns agencies focused on cybersecurity in the United States and the United Kingdom.

A joint advisory released Friday by the UK’s National Cybersecurity Center, the Bureau of Cybersecurity and Infrastructure Security, the National Security Agency and the FBI revealed that the Russian Foreign Intelligence Service (SVR) had changed its behavior after the July 2020 advisory announcement for the group. . , Also known as APT29. The US and UK blamed the SolarWinds campaign on threat actors in Russia in April. The July advisory warned that it is aiming to develop a COVID-19 vaccine.

SVR Cyber ​​Operators appear to have reacted to this report by making changes to the report. [tactics, techniques and procedures]I have read a new advisory to avoid further detection and remediation efforts by network defenders. These changes included the distribution of Sliver, an open source tool to maintain access.

Sliver is a red team tool used by legitimate actors to test entity network defenses. CISA, along with a similar Cobalt Strikea tool that can give attackers command and control, has posted it on a fact sheet summarizing recent activities related to Russian threat groups and SolarWinds events.

Hackers use a variety of malware, including WellMess and WellMail, to target the antivirus development organizations described in the advisory to gain initial access. Then, in addition to credential theft, they use tools like Sliver to maintain their existence. And they take tough steps to hide their activities.

The use of the Sliver framework was likely an attempt to ensure access to existing WellMess and WellMail victims, and these features persisted even after exposure. As observed in the SolarWinds incident, SVR operators often used separate command and control infrastructure for each victim on Sliver.

In general, agencies have said that attackers are using government recommendations to exploit vulnerabilities, including vulnerabilities Microsoft has associated with Chinese hackers, and that they are encouraging organizations to update their systems faster.

According to the joint advisory, this group has also been observed to use numerous vulnerabilities, the most recently widely reported Microsoft Exchange vulnerabilities. This group frequently uses publicly available exploits to perform extensive scans and exploits of vulnerable systems. This group will try to make the most of a variety of exploits when it comes to public. This group will quickly exploit recently disclosed vulnerabilities that could potentially allow early access to the target.

Officials said the Microsoft Exchange vulnerabilities and the Microsoft Office 365 compromises they link with Russian actors are applicable to on-premises instances. The Fridays advisory encouraged organizations to use the full range of audit mechanisms available, which has become a hot topic as Microsoft generally charged extra for full logging functionality.

Organizations must ensure that sufficient logging (both cloud and on-premises) is active and stored for a reasonable amount of time to identify compromised accounts, leaked material, and actor infrastructure. As part of Microsoft’s’Advanced Auditing’ feature, Microsoft has introduced a new mailbox audit action called’MailItemsAccessed’ to help investigate corruption of email accounts. This is part of the Exchange mailbox audit and is enabled by default for users assigned an Office 365 or Microsoft 365 E5 license, or for organizations with a Microsoft 365 E5 compliance add-on subscription.

At the top of the list of mitigation recommendations are familiar guidelines. Organizations need to patch faster and implement cybersecurity basics.

Despite the complexity of supply chain attacks, the agency said, following basic cybersecurity principles will make it more difficult for sophisticated actors to compromise the target network. Implementing good network security controls and effectively managing your user rights organization will help prevent lateral movement between hosts. This will help limit the effectiveness of complex attacks.

