Response to CISA Advisory (AA24-057A): SVR Cyber Actors Adapt Tactics for Initial Cloud Access

AttackIQ recommends that customers take the following testing actions in alignment to the recently published CISA Advisory (AA24-057A) which details recent Tactics, Techniques, and Procedures (TTPs) exhibited by the Russian Foreign Intelligence Service (SVR) adversary known as APT29 during activities in which it sought to gain initial access to the cloud infrastructure of government entities and corporations. Read More

On February 26, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) detailing recent Tactics, Techniques, and Procedures (TTPs) associated with the adversary known as APT29 which is assessed to be part of the Russian Foreign Intelligence Service (SVR).

This advisory provides an overview of the capabilities displayed by the adversary to gain initial access to the cloud infrastructure of government entities and corporations.

Nobelium is a politically motivated state-sponsored adversary suspected of operating on behalf of the Russian Foreign Intelligence Service (SVR). This adversary, which has been active since at least 2019, has targeted government organizations, non-governmental organizations (NGOs), think tanks, and technology service providers, primarily in the United States and Europe.

Nobelium is often identified as a new iteration of the historical adversary APT29, active since at least 2013, as it shares many similarities in terms of Tactics, Techniques and Procedures (TTP). Microsoft identified Nobelium as a new name for this continuation of APT29 in March 2021, but publicly available reports from multiple security vendors continue to use Nobelium and APT29 as interchangeable aliases.

AttackIQ has previously published emulations based on activities carried out by Nobelium against multiple objectives.

The first, published on May 4, 2023, is based on reported activities against several European Union (EU) governments, during which Nobelium focused on gathering intelligence on those countries that support Ukraine in the ongoing war.

The second, published on December 21, 2023, is in response to the CISA Advisory (AA23-347A), which assessed that adversaries belonging to the Russian Foreign Intelligence Service (SVR) have been targeting servers hosting JetBrains TeamCity software by exploiting vulnerability CVE-2023-42793 on a large scale, since September 2023.

Although details of the incident as well as technical procedural level details and behaviors are limited, the following AttackIQ scenario recommendations offer a starting point for further testing. These scenarios can be selected from within the scenario library and should be run in their respective environments and with their respective privileges:

  • Password Brute-Force: This scenario attempts to perform a password Brute-force attack against a specified machine to test whether any security controls detect multiple failed login attempts and if the specified machine has a weak password that is susceptible to RDP, SSH, SMB, and other protocol brute forcing cracking tools. This scenario can also be used to perform a password spraying attack, using a small number of passwords that target a larger number of users. This is the inverse of a traditional brute-force attack, but both use cases can be handled within this scenario.
    This scenario uses ncrack, a cracking tool, commonly used by attackers, that makes continuous attempts to connect to the target service by using all the possible username and password combinations that are provided in the credential files.
  • Connection Proxy: This scenario emulates the use of proxies to act as an intermediary for network communications, hiding the real destination to avoid detection. It will perform a connection to an AttackIQ server, that simulates being a Command and Control (C2) server of a malicious organization, through a user-specified proxy.

Detection and Mitigation Opportunities

Given the limited contextual details of the techniques observed by this unknown threat actor, AttackIQ recommends reviewing CISA’s guidance.

1. Review CISA’s Mitigation and Recommendations:

CISA has provided a considerable number of mitigation and general recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing these recommendations.

Wrap-up

In summary, AttackIQ recommends running the previously released emulations in conjunction with the scenarios recommended in this post. These are good starting points for evaluating the effectiveness of your security personnel, processes, and controls against these and similar threats.
With data generated from continuous testing and use of these AttackIQ scenarios, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.