The UK’s National Cyber Security Center (NCSC) and its American partner agencies, the National Security Agency (NSA) and the FBIhave today published another alert highlighting the ongoing exploitation of vulnerabilities, at scale, by threat actors linked to the Russian state.
The latest advisory warns organizations at risk of being targeted by Moscow’s Foreign Intelligence Service, the SVR, to rapidly deploy patches and prioritize software updates as soon as they become available.
The SVR is one of a number of Russian agencies suspected of providing tasking to the group known as APT29, or more fancifully, Cozy Bear. Cozy Bear was behind the Solorigate/Sunburst incident affecting SolarWinds customers, and the 2016 hack of the US Democratic National Committee, among many other things.
“Russian cyber actors are interested in and highly capable of accessing unpatched systems across a range of sectors, and once they are in, they can exploit this access to meet their objectives,” said NCSC operations director Paul Chichester.
“All organizations are encouraged to bolster their cyber defenses: take heed of the advice set out within the advisory and prioritize the deployment of patches and software updates,” he added.
The agencies highlighted some of the latest tactics being used to collect foreign intelligence by Cozy Bear, which of late specializes in targeting government and diplomatic bodies, think tanks, tech companies and financial institutions.
It is known to scan internet-facing systems to find unpatched vulnerabilities at scale to opportunistically exploit them in hope of further compromises down the line.
As such, any organization in any sector – not just those at particular risk of targeted espionage – may find themselves in hot water as Cozy Bear takes advantage of their vulnerable systems to host malicious infrastructure, run follow-on operations from compromised accounts, or pivot to other networks.
This was most famously seen in the Sunburst incident, where SolarWinds unknowingly provided the stepping stone to US government networks.
The advisory documents Cozy Bear’s ongoing use of multiple publicly disclosed vulnerabilities in a diverse range of suppliers’ products in the service of its intrusions.
Some of these issues date back well over five years and all have been disclosed and patched. Collectively, they enable a wide range of attack scenarios.
Of particular note recently are two issues assigned designations CVE-2022-27924 and CVE-2023-42793.
The first of these is a command injection vulnerability in Zimbra that enables an unauthenticated user to inject arbitrary commands into a targeted instance, causing an overwrite of arbitrary cached entries. Cozy Bear has exploited it at scale in hundreds of domains worldwide and used it to access user credentials and mailboxes without having to interact with its victims.
The second is an arbitrary code execution flaw in JetBrains TeamCity that arises through the insecure handling to specific paths allowing for authentication bypass.
The partners said that based on Cozy Bear’s known tactics, techniques and procedures (TTPs) and its previous targeting, the operation has both the capability and the interest in exploiting additional CVEs for initial access, remote code execution and privilege escalation.