Alert (AA20-296A)
Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets.
This joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)—provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.
Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.
The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
- Sensitive network configurations and passwords.
- Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
- IT instructions, such as requesting password resets.
- Vendors and purchasing information.
- Printing access badges.
To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.
As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.
Technical Details
The FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses 213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to victim web servers (Exploit Public Facing Application [T1190]).
The actor is using 213.74.101[.]65 and 213.74.139[.]196 to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (Brute Force [T1110]; Exploit Public Facing Application [T1190]). The APT actor also hosted malicious domains, including possible aviation sector target columbusairports.microsoftonline[.]host, which resolved to 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; these domains are U.S. registered and are likely SLTT government targets (Drive-By Compromise [T1189]).
The APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug (CVE-2019-19781) and a Microsoft Exchange remote code execution flaw (CVE-2020-0688).
The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence [TA0003]).
Between early February and mid-September, these APT actors used 213.74.101[.]65, 212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55, 91.227.68[.]97, and 5.45.119[.]124 to target U.S. SLTT government networks. Successful authentications—including the compromise of Microsoft Office 365 (O365) accounts—have been observed on at least one victim network (Valid Accounts [T1078]).
Para el ver artículo original: https://us-cert.cisa.gov/ncas/alerts/aa20-296a
Últimos Artículos
