Agencies warn about Russian government hackers going after unpatched vulnerabilities
Russian government hackers are targeting known, unpatched vulnerabilities to victimize specific organizations like governments and defense contractors while also scanning the internet for any susceptible systems to attack, U.S. and U.K. cyber agencies said in a joint alert.
The threat actors tied to the Russian Foreign Intelligence Service (SVR) “are highly capable of and interested in exploiting software vulnerabilities” in order to both gain initial access to their target organization and then move around in its systems, the Thursday advisory states.
It’s an attempt by the FBI, the National Security Agency, Cyber National Mission Force and the United Kingdom’s National Cyber Security Centre to warn the public about the tactics and techniques the SVR has employed in recent attacks. It’s an update of a 2021 advisory.
They wrote that there are two types of target entities for the SVR attackers: “targets of intent,” which includes tech companies, think tanks and international organizations, and also “targets of opportunity.”
The first kinds of groups “are targeted for the purpose of collecting foreign intelligence and technical data as well as establishing accesses to enable subsequent downstream/supply chain compromises,” according to the advisory.
For the second kind, “mass scanning and opportunistic exploitation of vulnerable systems, as opposed to more targeted operations, increase the threat surface to include virtually any organization with vulnerable systems,” the agencies wrote. “Targets of opportunity represent entities with Internet-accessible infrastructure vulnerable to exploitation through publicly disclosed vulnerabilities, weak authentication controls, or system misconfigurations.”
Examples of the kinds of vulnerabilities the alert said that SVR has exploited recently are in the JetBrains TeamCity and Zimbra software products. They also have used Microsoft Teams accounts that impersonate tech support on Microsoft Teams Chat to manipulate users into giving them access.
SVR hackers operate stealthily, such as using the TOR anonymity browser and attempting to destroy their infrastructure when they’re discovered, according to the alert.
The agencies advise organizations to disable internet-accessible services they don’t need, employ multi-factor authentication and audit cloud-based accounts for unusual activity.
Earlier this year, the same agencies and more from other countries issued an advisory about how SVR hackers are seeking to gain cloud access.
