The NSA issues updated guidance on Russian SVR cyber operations

The National Security Agency (NSA) has joined the Federal Bureau of Investigation (FBI), the United States Cyber ​​Command’s Cyber ​​National Mission Force (CNMF), and the United States Cyber ​​Command’s National Cyber ​​Security Center (NCSC). the United Kingdom to warn network defenders of ongoing foreign attacks in the Russian Federation. Cyber ​​Threats from the Intelligence Community (SVR) and recommending rapid countermeasures for patching and mitigating security systems.

In a press statement, NSA Cybersecurity Director Dave Luber said: “This activity is a global threat to government and the private sector and requires a major overhaul of security controls, including prioritizing patches and keeping up-to-date software. Our updated guidance will help network defenders detect these intrusions and ensure they take steps to secure their systems.”

The joint Cybersecurity Advisory (CSA), “Update on SVR Cyber ​​Operations and Vulnerability Exploitation”, highlights how Russian SVR cyber actors are currently exploiting a range of software vulnerabilities and have plans to exploit even more. It provides a detailed list of publicly disclosed common vulnerabilities and exposures (CVEs) and a list of measures to improve cybersecurity based on the activities of the SVR cyber actors.

According to the CSA SVR cyber actors employ a range of tactics, techniques and procedures (TTPs), including but not limited to spear phishing, password spraying, supply chain and trusted relationship abuse, custom malware, cloud exploitation and living off the land. techniques. They gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. They often conceal their activities using Tor, leased and compromised infrastructure, and proxies.

To disrupt this activity, the report’s authors recommend, among other things, baselineing authorized devices and investigating systems accessing their networks that are not compliant with the baseline.

Since 2021, SVR actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), the Dukes and Cozy Bear – have consistently targeted US, European and global entities in the defense, technology and financial sectors. Their intent is to gather foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine.

Recommendations

The authoring agencies recommend that organizations implement the measures below to improve your organization’s cybersecurity posture based on threat actor activity.

• • • Prioritize the rapid deployment of patches and software updates as they become available. Enable automatic updates where possible.
    • Reduce the attack surface by disabling Internet access services you don’t need, or restricting access to trusted networks, and removing unused applications and tools from workstations and development environments.
    • Conduct continuous threat hunting activities.
    • Ensure systems are properly configured – check for open ports and outdated or unused protocols, especially on Internet-facing systems.
    • Isolate Internet-facing services in a demilitarized network zone (DMZ) to reduce exposure of internal networks.
    • Require and enforce multi-factor authentication wherever possible.
    • Additional identity challenges are required for new device enrollment when users are allowed to self-enroll multi-factor authentication mechanisms or register devices on the corporate network.
    • Notify users across platforms when devices are successfully registered to help identify unexpected registrations. Train and encourage users to notice and report unexpected registrations.
    • Enable robust logging for authentication services and Internet-facing features.
    • Regularly monitor cloud-based accounts and applications with administrative access to email for unusual activity.
    • Limit the lifetime of token access and check for evidence of token reuse.
    • Enforce least privilege access and disable remote management capabilities.
    • Baseline authorized devices and perform additional monitoring of systems accessing network resources that do not meet the baseline.
    • If possible, disable remote downloading of information to unenrolled devices.

The authoring agencies recommend testing your existing security measures to assess how they perform compared to the techniques described in this advisory.

Read the full report here.