Russian Hackers Exploit Multiple Flaws and Aim at Critical U.S. Infrastructures

Share:

Share on facebook
Share on twitter
Share on linkedin

American cybersecurity and intelligence agencies last week published a joint advisory on mitigating cyberattacks orchestrated by Russian-sponsored actors amid a perceived strengthening of Russia’s actions in this space. Here’s what brought on this unprecedented step, and why.


The report was a joint-publication between  the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National security Agency (NSA). It was the first such joint-report of its kind by these three extremely powerful agencies.

The report addressed the increase in spear-phishing, brute force attacks and exploitation of known vulnerabilities currently taking place in unprecedently high rates by Russian attackers: both individuals and state-backed entities.

Some effective flaws exploited by the Russian hacking groups in the last month include:

  • CVE-2018-13379 (FortiGate VPNs)
  • CVE-2019-1653 (Cisco router)
  • CVE-2019-2725 (Oracle WebLogic Server)
  • CVE-2019-7609 (Kibana)
  • CVE-2019-9670 (Zimbra software)
  • CVE-2019-10149 (Exim Simple Mail Transfer Protocol)
  • CVE-2019-11510 (Pulse Secure)
  • CVE-2019-19781 (Citrix)
  • CVE-2020-0688 (Microsoft Exchange)
  • CVE-2020-4006 (VMWare)
  • CVE-2020-5902 (F5 Big-IP)
  • CVE-2020-14882 (Oracle WebLogic)
  • CVE-2021-26855 (Microsoft Exchange, exploited frequently alongside CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

In a joint statement, the agencies proclaimed that “Russian state-sponsored APT actors have demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware”.

solarwinds

Among the recent objectives of Russian hacker groups include disruption to the U.S. energy sector, disruption of the Ukraine in the midst of sustained geopolitical tensions, and (as ever) the desire to extort and win financial gain.

Those groups backed by state-based interests have also had their eyes on operational technology (OT) and industrial control systems (ICS).

The report went on to say that “the actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments — including cloud environments — by using legitimate credentials.”

The agencies have recommended enforcing network segmentation, keeping operating systems, applications, and firmware up to date, mandating multi-factor authentication and staying vigilant for abnormal activity that indicate signs of lateral movements.

Some of the other best practices include the following, which are as applicable to companies and utilities all around the world as they are to American ones:

  • Strong passwords
  • Optimized spam filters
  • Disabling all unnecessary ports and protocol
  • Strong log collection and retention systems
  • Implementing configuration management programs
  • Having OT hardware in read-only mode

As geopolitical tensions over the Ukraine continued to rise, we expect to see an increase in activity by Russian-backed ands supportive threat actors.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.