Russian Foreign Intelligence Service Accused of Targeting the U.S. and Allied Digital Networks
On Thursday, April 15th, the United States National Security Agency (N.S.A.), Federal Bureau of Investigation (F.B.I.), and Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement outlining evidence of cyber-attacks being carried out by the Russian Foreign Intelligence Service (which is known by the acronym S.V.R.). The full text of the federal cybersecurity advisory is available here and outlines that Russian Foreign Intelligence Service (S.V.R.) actors known as APT29, Cozy Bear, and The Dukes have been implicated in cyberattacks against five previously unknown vulnerabilities:
- CVE-2018-13379 Fortinet®
- CVE-2019-9670 Zimbra®
- CVE-2019-11510 Pulse Secure®
- CVE-2019-19781 Citrix®
- CVE-2020-4006 VMware®
Recommended Mitigation Procedures to Counter this Cyber Threat Event
Due to the scope and complexity of this current cyber threat event, the N.S.A., CISA, and F.B.I. recommend immediate actions to mitigate the impact of these attacks. Failure to mitigate these issues poses unique cybersecurity challenges that elevate national security issues because sensitive data related to U.S. policies, strategies, plans, ongoing operations, and competitive advantages are exposed. The specific techniques utilized in this current threat event include:- Exploiting public-facing applications (T11902)
- Leveraging external remote services (T1133)
- Compromising supply chains (T1195)
- Using valid accounts (T1078)
- Exploiting software for credential access (T1212)
- Forging web credentials: SAML tokens (T1606.002)
- Update systems and products as soon as possible after patches are released.
- Assume a breach will happen; review accounts and leverage the latest eviction guidance available.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in client device configurations.
- Reduce exposure of the local network by separating internet-facing services into a small, isolated network.
- Enable robust logging of internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly in cloud environments.
- Adopt a mindset that compromise happens: Prepare for incident response activities.
Develop a Nimbler Cyber Threat Response Protocol with a Trusted Cybersecurity Partner
When it comes to cybersecurity, smaller I.T. teams have the most challenging job out there. That's because you have to take care of everything I.T.-related - in addition to managing security. All too often, there is no one on your team that is dedicated to security, and even if there is, the bad guys don't keep bankers' hours, and your security person can't work 24/7. The choice seems to be — go it alone — or try and get the budget for more cybersecurity tools. Not anymore! Gradient is a powerful combination of proprietary technology and security experts that use our Cognitive Library to generate A.I.-driven cybersecurity assessments. As your cybersecurity partner, Gradient makes the job of managing security much easier for your small-scale I.T. team without breaking the bank.Learn more out how we can help your organization develop a nimbler cyber threat response protocol.