Warning (AA20296A) – State-sponsored Russian APT hackers compromise US government targets.
This cybersecurity advisory, written by the FBI and CISA, provides information about the Russian state-sponsored APT hackers who are actively threatening various networks within the US government sector and the US aviation sector. This advisory is an update to Cybersecurity Advisory AA20-283A, also written by CISA and FBI.
It has now become known that the aforementioned Russian hackers (also known as Berserk Bear, Energetik Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti and Koala) have been running a campaign against various targets in the US since at least September 2020. The hackers have attacked a variety of targets within the US government sector and aviation agency, attempted to break into various SLTT organizations, successfully compromised network infrastructure and, as on
October 1, 2020, data was retrieved from at least two servers.
The hackers received user and admin credentials with which they could set up initial access, move within the network and locate high-value targets. At least one attack on a network gave you access to documents related to:
As of today (October 22, 2020), the FBI and CISA have no information that the attackers targeted aviation, education, elections, or government operations. However, it may be that the attackers are trying to gain access in order to influence such operations in the future, such as influencing US policies and actions or to sabotage SLTT government offices.
The latest activities have been targeted at the SLTT network, which is why it can be assumed that election documents that are in the SLTT network could also be affected. However, both the FBI and CISA have no evidence that the integrity of the election data was compromised. Due to the increased diligence in dealing with everything election-related and the attacks on the SLTT network, the FBI and CISA are on high alert and will continue to monitor all activities
According to FBI and CISA observations, the ATP attackers have compromised SLTT networks and the aviation sectors. The APTs use Turkish IP addresses for their attack
213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to the victims' web servers. (Exploit Public Facing Application [T1190]).
The attackers use 213.74.101[.]65, 213.74.139[.]196 to perform prey force logins, and also in many cases to perform SQL injection on the victim sites (Brute Force [T1110]; Exploit Public Facing Application [T1190 ]). Furthermore, domains were hosted that target, among other things, the aviation sector columbusairports.microsoftonline[.]host, which resolves the IP 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; These domains are registered in the US and are likely targets in an attack on the SLTT sector (Drive-By Compromise [T1189]).
The attackers are scanning for vulnerabilities in Citrix and Microsoft Exchange Service and have identified vulnerable systems, likely to be compromised in future attacks. The attackers use a Citrix Directory vulnerability (CVE-2019-19781) and a Microsoft Exchange remote code execution bug (CVE-2020-0688).
The APTs were observed establishing connections via Cisco AnyConnect SSL VPN to enable remote logins on at least one network, likely by exploiting an SMTP vulnerability (CVE 2019-10149) (External Remote Services [T1133]). Just recently, the attackers exploited a vulnerability in Fortinet VPN (CVE-2018-13379) to gain initial access [TA0001] and a Windows Netlog vulnerability (CVE-2020-1472) to gain access to Windows AD Server for privileges -Execute Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be used to compromise other devices in the network (Lateral Movement [TA0008]) and Remain Persistent [TA0003]).
Between early February and mid-September, the attackers used the IPs 213.74.101[.]65, 212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55 , 91.227.68[.]97, and 5.45.119[.]124 to attack US government networks. Successful authentications – including on Microsoft Office 365 (O365) accounts – were registered in at least one network (Valid Accounts [T1078]).
The attackers used the following IP addresses and domains for their attacks:
The IP address 51.159.28[.]101 appears to be configured to receive stolen
Obtain credentials from Windows NTLM. The FBI and CISA therefore advise companies and
Organizations to take measures to reduce the risk of a leak of the NTLM
Prevent login credentials. Therefore it is recommended to deactivate the NTLM service,
or restrict outgoing NTLM data. You should also consider blocking the IP address 51.159.28[.]101 (however, this is not a XNUMX% solution as it assumes that the attackers will set up additional entry points or have already done so. SMB should also be used or WebDAV activity is observed leaving the network to other IP addresses.
See AA20-296A.stix for a download of IOCs.
Proper network defense-in-depth and compliance with information security policies helps prevent the risk. The following instructions are intended to help make networks more secure against such attacks.
weak spot | Endangered products | Patch information |
CVE-2019-19781 |
|
|
CVE-2020-0688 |
| |
CVE-2019-10149 |
| |
CVE-2018-13379 |
| |
CVE-2020-1472 |
|
For accounts where NTLM hashes or Kerberos tickets may already have been compromised (e.g. by CVE-2020-1472), a double password reset may be required to prevent further access. Domain Admin credentials may require a reset of the KRB-TGT “Golden Tickets”. Microsoft has already provided a guide for this. Such a reset must be carried out with extreme caution.
If there is a compromise of Netlogon activities (CVE-2020-1472) or other indicators of credential abuse, then it must be assumed that ATP compromised the AD admin accounts.
In such a case, the AD forest must not be fully trusted, and therefore a new forest must be used. Existing hosts from the old, compromised forest cannot be migrated without being rejoined to the new domain. The endpoints in the old forest must be shut down by "Creative Destruction", and new ones can be created in the new forest. This needs to be done both on-premises and in the Azure-hosted AD instances.
Note that a complete reset of the AD Forests is very difficult and complex, it is best to carry out this task under the supervision of specialist personnel who already have experience.
It is important that a full password reset is performed on all users and computer accounts in the AD forest. The following points serve as guidelines
The following accounts should be reset:
Implement the following recommendations for VPN security:
Turn off unused VPN servers. Reduce your organization's attack surface by eliminating unused VP servers that can serve as an entry point for attackers. Protect your company from VPN vulnerabilities: