State cyber actors, likely working for the Russian Federation Foreign Intelligence Service (SVR) could seek to exploit software vulnerabilities, warned the National Security Agency (NSA) last week. The agency joined the Federal Bureau of Investigation (FBI), the United States Cyber Command’s Cyber National Mission Force (CNMF), and the United Kingdom National Cyber Security Centre (NCSC) in highlighting how foreign operatives could engage in cyber attacks.
The NSA and other agencies issued a joint Cybersecurity Advisory (CSA), “Update on SVR Cyber Operations and Vulnerability Exploitation.” It provided a list of publicly disclosed common vulnerabilities and exposures (CVEs), as well as suggested mitigations that could improve cybersecurity posture based on past actions by CVR cyber actors.
“This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date,” explained Dave Luber, the NSA’s cybersecurity director. “Our updated guidance will help network defenders detect these intrusions and ensure they are taking steps to secure their systems.”
Attack Vectors
The joint CSA noted that SVR cyber actors are known to employ a range of tactics, techniques, and procedures (TTPs). These include phishing campaigns, password spraying, abuse of supply chain and trusted relationships, custom and bespoke malware, and cloud exploitation. The goal is to gain initial access to a network, where operatives can then escalate privileges, and maintain persistence in a compromised network and/or cloud environment.
The actors can exfiltrate information and often conceal their activity by employing Tor, leased, and compromised infrastructure and proxies.
The SVR operatives have been tracked by such names as APT29, Cozy Bear, the Dukes, and Midnight Blizzard among others. The actors have consistently targeted U.S., European, and global entities – notably in the defense, technology, and finance sectors. According to the NSA, the SVR’s “intent is to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine.”
Key Recommendations from NSA
The advisory offered a list of recommended actions all U.S. companies and agencies should undertake:
- Prioritize rapid deployment of patches and software updates as soon as they become available. Enable automatic updates where possible.
- Reduce attack surface by disabling Internet-accessible services that you do not need, or restrict access to trusted networks, and remove unused applications and utilities from workstations and development environments.
- Perform continuous threat-hunting activities. Ensure proper configuration of systems – check for open ports and obsolete or unused protocols, especially on Internet-facing systems.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure to internal networks.
- Require and enforce multi-factor authentication whenever possible.
- Require additional identity challenges for enrollment of new devices when users are permitted to self-enroll multi-factor authentication mechanisms or register devices on the corporate network.
- Notify users across multiple platforms when devices have been successfully registered to help identify unexpected registrations. Train and encourage users to notice and report unexpected registrations.
- Enable robust logging for authentication services and Internet-facing functions.
- Regularly audit cloud-based accounts and applications with administrative access to email for unusual activity.
- Limit token access lifetimes and monitor for evidence of token reuse.
- Enforce least-privileged access and disable external management capabilities.
- Baseline authorized devices and apply additional scrutiny to systems accessing network resources that do not adhere to the baseline.
- Disable remote downloading of information to non-enrolled devices when possible.
Good Start with NSA Cyber Warning
While all this is solid advice, cybersecurity experts have suggested that there needs to be more than warnings.
“I welcome any cybersecurity recommendations, including this announcement. However, it doesn’t say anything new that hasn’t been said for decades,” explained Roger Grimes, data-driven defense evangelist at KnowBe4.
“It doesn’t say anything new that every reader doesn’t already know they should be doing. That doesn’t mean it shouldn’t be said again,” Grimes told ClearanceJobs. “We need to keep saying it until most defenders start doing it.”
The warnings are issued – especially with this being Cybersecurity Awareness Month – only for the advice not to be heeded.
“Will it change the risk profile of any defender? Probably not. It doesn’t say anything new. I can’t imagine a defender reading [and thinking] ‘I didn’t know that. That’s a great recommendation. I’ll get right on that!’ I could be wrong. I hope I’m wrong,” Grimes added.
“But decades of evidence show that those not following the recommendations in this announcement are probably not suddenly going to have an epiphany and start doing so because of the recent recommendations in this announcement,” he suggested. “Dare to dream!”
