The National Cyber Security Centre (NCSC) has joined forces with the NSA, FBI and other US agencies to issue an urgent warning about "online attacks" by Russia’s Foreign Intelligence Service (SVR).
Agents from the SVR are allegedly hard at work collecting intelligence to support "future cyber operations", including activities to support Putin's brutal invasion of Ukraine.
They have exploited more than 20 publicly disclosed vulnerabilities (find the full list and advisory here) and targeted governments, diplomatic entities, think tanks, technology companies, defence firms and financial institutions across the globe, including the UK.
In addition to these "targets of intent", they are always on the lookout for "targets of opportunity" located by scanning internet-facing systems for unpatched vulnerabilities at scale, which are then "opportunistically exploited".
In a rather excitable post on X, the NCSC offered the following advice: "PATCH! PATCH! PATCH!"
Paul Chichester, NCSC Director of Operations, said: “Russian cyber actors are interested in and highly capable of accessing unpatched systems across a range of sectors, and once they are in, they can exploit this access to meet their objectives.
“All organisations are encouraged to bolster their cyber defences: take heed of the advice set out within the advisory and prioritise the deployment of patches and software updates.”
The full advisory states that the Russian SVR threat actors are also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Duke. They have been in operation since 2022.
"Their operations continue to pose a global threat to government and private sector organizations," it warned.
As well as exploiting software vulnerabilities for initial access and
escalation of privileges, Moscow's agents deploy spearphishing, password spraying and abuse of supply chain or trusted relationships.
Additionally, they utilise customized malware, cloud exploitation, and living-off-the-land techniques to achieve initial access, escalate privileges, move laterally, and maintain persistence within victim networks and cloud environments, ultimately exfiltrating sensitive information.
SVR places a strong emphasis on remaining anonymous and undetected. The actors make extensive use of TOR throughout their intrusions - from initial targeting to data collection across network infrastructure. They lease operational infrastructure under a range of fake identities and low-reputation email accounts, acquiring infrastructure from resellers associated with major hosting providers.
When the SVR suspect victims or law enforcement have rumbled them, they quickly attempt to dismantle their infrastructure and erase any evidence. To avoid detection, the SVR often uses tools and programmes already present on victim networks, thereby evading anti-virus software. In cloud environments, they exploit misconfigurations and weak access controls to access information without requiring additional software.
Examples of the CVEs targeted include CVE-2022-27924 in Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0, which enables unauthenticated attackers to inject arbitrary memcache commands into a targeted Zimbra instance, causing an overwrite of arbitrary cached entries.
"SVR cyber actors exploited Zimbra mail servers targeting hundreds of domains worldwide, including through exploitation of the CVE," the advisory states. "This allowed the actors to access user credentials and mailboxes without victim interaction. Following the exploitation of those systems, the SVR deployed infrastructure to enable collection from the victims."
Another flaw Putin's cyber-Spetsnaz is known to target is CVE-2023-42793.
"Starting in September 2023, SVR cyber actors have exploited JetBrains TeamCity CVE-2023-42793, which enabled arbitrary code execution via insecure handling of specific paths allowing for authentication bypass," the advisory added. "Based on the SVR cyber actors’ TTPs and previous targeting, the authoring agencies assess they have the capability and interest to exploit additional CVEs for initial access, remote code execution, and privilege escalation."
Defenders are advised to minimise attack surfaces, disable any unnecessary internet-accessible services or restrict access to trusted networks, and remove unused applications and utilities from both workstations and development environments. It would also be prudent to take basic steps such as enforcing multi-factor authentication and regularly auditing cloud-based accounts and applications with administrative access to email (which we're sure you're doing already!).