Warning (AA20296A) - State-sponsored Russian APT hackers compromise US government targets.
This cybersecurity advisory, written by the FBI and CISA, provides information on Russian state-sponsored APT hackers actively threatening various networks within the U.S. government and aviation sectors. This advisory is an update to Cybersecurity Advisory AA20-283A, also written by CISA and FBI.
As has now become known, the aforementioned Russian hackers (also known as Berserk Bear, Energetik Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) have been conducting a campaign against various targets in the U.S. since at least September 2020. The hackers have attacked a variety of targets inside the U.S. government sector and the Federal Aviation Administration, attempted to penetrate various SLTT organizations, successfully compromised network infrastructure, and, as of
October 1, 2020, retrieved data from at least two servers.
In the process, the hackers obtained user and admin credentials that would allow them to set up initial access, move around within the network and locate high-value ciles. In at least one attack on a network, they gained access to documents related to the following areas:
To date (October 22, 2020), the FBI and CISA have no information that the attackers have targeted aviation, education, election, or government operations. However, the attackers may be attempting to gain access to influence such operations in the future, such as U.S. policy and action, or to sabotage SLTT government agencies.
The latest activities targeted the SLTT network, which is why it can be assumed that election records located on the SLTT network could also have been affected. However, both the FBI and CISA have no evidence that the integrity of election data has been compromised. Due to the heightened scrutiny of everything election-related and the attacks on the SLTT network, the FBI and CISA are on high alert and will continue to monitor all activity.
According to FBI and CISA observations, the ATP attackers compromised SLTT networks and aviation sectors. The APTs use Turkish IP addresses
213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to victims' web servers for their attack. (Exploit Public Facing Application [T1190]).
The attackers use 213.74.101[.]65, 213.74.139[.]196 to perform prey force logins, and also in many cases to perform SQL injection on the victim sites (brute force [T1110]; exploit public facing application [T1190]). Furthermore, domains were hosted that targeted the aviation sector, among others columbusairports.microsoftonline[.]host, resolving IP 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; These domains are registered in the U.S. and are likely targets in an attack on the SLTT sector (Drive-By Compromise [T1189]).
The attackers are scanning for vulnerabilities in Citrix and Microsoft Exchange Service and have identified vulnerable systems, likely to compromise them in future attacks. The attackers are exploiting a Citrix Directory vulnerability (CVE-2019-19781) and a Microsoft Exchange remote code execution bug (CVE-2020-0688).
The APTs were observed establishing connections via Cisco AnyConnect SSL VPN to enable remote logins on at least one network, likely by exploiting an SMTP vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, attackers exploited a Fortinet VPN vulnerability (CVE-2018-13379) to gain initial access [TA0001] and a Windows Netlog vulnerability (CVE-2020-1472) to gain access to Windows AD Server to perform privilege escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be used to compromise other devices on the network (Lateral Movement [TA0008]) and Persist [TA0003]).
Between early February and mid-September, the attackers used IPs 213.74.101[.]65, 212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55, 91.227.68[.]97, and 5.45.119[.]124 to attack U.S. government networks. Successful authentications - including on Microsoft Office 365 (O365) accounts - were registered on at least one network (Valid Accounts [T1078]).
The attackers used the following IP addresses and domains for their attacks:
The IP address 51.159.28[.]101 appears to be configured to receive stolen
credentials from Windows NTLM. FBI and CISA therefore advise companies and
organizations to take measures to prevent the risk of NTLM
credentials leak. Therefore, it is advised to disable the NTLM service, restrict
or outgoing NTLM data. Also, consider blocking the IP address 51.159.28[.]101 (this is not a 100% solution, as it is assumed that the attackers will set up more entry points, or have already done so). Furthermore, SMB or WebDAV activity leaving the network to other IP addresses should also be monitored.
See AA20-296A.stix for a download of IOCs.
Proper network defense-in-depth and adherence to information security policies helps prevent the risk. The following guidance is intended to help make networks more secure from such attacks.
|Vulnerability||Products at risk||Patch information|
For accounts where NTLM hashes or Kerberos tickets may have already been compromised (e.g., by CVE-2020-1472), a double password reset may be required to prevent further access. For domain admin credentials, a reset of the KRB-TGT "Golden Tickets" may be necessary. Microsoft has already provided a guide for this. Such a reset must be performed with great care.
If there is a compromise of netlogon activities (CVE-2020-1472) or other indicators of credential misuse, then it must be assumed that ATP has compromised the AD admin accounts.
In such a case, the AD forest must not be trusted completely, and therefore a new forest must be used. Existing hosts of the old, compromised forest cannot be migrated without being remounted on the new domain. In this case, through "Creative Destruction", the endpoints in the old forest must be decommissioned, and new ones can be created in the new forest. This must be done both on-premises and in Azure hosted AD instances.
Note that a complete reset of AD Forests is very difficult and complex, it is best to perform this task under the supervision of professionals who already have experience.
It is important that a complete password reset is performed on all users and computer accounts in the AD forest. The following points serve as a guide
The following accounts should be reset:
Implement the following recommendations for VPN security:
Turn off unused VPN servers. Reduce your organization's attack surface by turning off unused VP servers that can serve as entry points for attackers. Protect your organization from VPN vulnerabilities: