Russian Foreign Intelligence Service (SVR) cyber actors are once again in the spotlight, exploiting widespread vulnerabilities in a global campaign aimed at government, technology, and finance sectors.
In a new joint advisory, the UK’s National Cyber Security Centre (NCSC) and U.S. agencies warned that SVR cyber operations, known for the SolarWinds attack and targeting COVID-19 vaccine research, have shifted their focus to unpatched software vulnerabilities across a range of sectors.
“Russian cyber actors are interested in and highly capable of accessing unpatched systems across a range of sectors, and once they are in, they can exploit this access to meet their objectives.” – Paul Chichester, NCSC Director of Operations
SVR’s Tactics: A Persistent Global Threat
The SVR, also referred to as APT29 or Cozy Bear, has demonstrated an alarming ability to exploit known vulnerabilities, particularly those left unpatched by organizations. The group is infamous for its persistent and stealthy cyber operations, often targeting government entities, think tanks, and private corporations to collect foreign intelligence.
One key aspect of their approach is the two types of targets they pursue. The first includes entities of strategic interest such as governments, financial institutions, and technology companies. These “targets of intent” are carefully selected for their intelligence value. The second group, known as “targets of opportunity,” consists of any organization with unpatched systems that can be exploited for malicious purposes.
SVR Exploiting Unpatched Vulnerabilities at Scale
The advisory includes over 20 publicly disclosed vulnerabilities that SVR actors are actively targeting. Organizations across the globe, including those in the UK, are being urged to rapidly deploy patches and prioritize software updates to minimize exposure to these threats.
Once SVR actors gain initial access through unpatched systems, they can escalate privileges and move laterally across networks, often compromising connected systems such as supply chains. This enables them to launch further operations, including espionage, data exfiltration, and network disruption.
Following is the complete list of unpatched vulnerabilities that Russian SVR was observed exploiting:
|
CVE |
Vendor/Product |
Details |
| CVE-2023-20198 | Cisco IOS XE Software web UI feature | Privilege escalation vulnerability that allows an attacker to create a local user and password combination |
| CVE-2023-4911 | RHSA GNU C Library’s dynamic loader ld.so | Buffer overflow vulnerability that could allow a local attacker to execute code with elevated privileges |
| CVE-2023-38545 | Haxx Libcurl | SOCKS5 heap buffer overflow vulnerability |
| CVE-2023-38546 | Haxx Libcurl | Missing authorization vulnerability that allows an attacker to insert cookies in a running program if certain conditions are met |
| CVE-2023-40289 | Supermicro X11SSM-F, X11SAE-F, and X11SSE- F 1.66 | Command injection vulnerability that allows an attacker to elevate privileges |
| CVE-2023-24023 | Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 | Allows certain man-in-the-middle attacks that force a short key length [CWE-326], and might lead to discovery of the encryption key and live injection, aka BLUFFS. |
| CVE-2023-40088 | Android | Use after free vulnerability that could lead to remote (proximal,
adjacent) code execution |
| CVE-2023-40076 | Google Android 14.0 | Permissions bypass vulnerability that allows an attacker to access credentials and escalate local privileges |
| CVE-2023-40077 | Google Android 11-14 | Use after free vulnerability that can lead to escalation of privileges |
| CVE-2023-45866 | Bluetooth HID Hosts in BlueZ | Improper authentication vulnerability that could allow an attacker in close proximity to inject keystrokes and carry out arbitrary commands |
| CVE-2022-40507 | Qualcomm | Double free vulnerability |
| CVE-2023-36745 | Microsoft Exchange Server | Remote code execution |
| CVE-2023-4966 | Citrix NetScaler ADC, NetScaler Gateway | Buffer overflow vulnerability |
| CVE-2023-6345 | Google Chrome | Integer overflow vulnerability that allows a remote attacker to potentially perform a sandbox escape via a malicious file |
| CVE-2023-37580 | Zimbra | Cross-site scripting (XSS) vulnerability |
| CVE-2021-27850 | Apache Tapestry | Critical unauthenticated remote code execution vulnerability |
| CVE-2021-41773 | Apache HTTP server 2.4.99 | Directory traversal vulnerability |
| CVE-2021-42013 | Apache HTTP server 2.4.50 | Remote code execution vulnerability |
| CVE-2018-13379 | Fortinet FortiGate SSL VPN | Path traversal vulnerability |
| CVE-2023-42793 | JetBrains TeamCity | Authentication bypass vulnerability |
| CVE-2023-29357 | SharePoint Server | Elevation of privilege vulnerability |
| CVE-2023-24955 | SharePoint Server | Remote code execution vulnerability |
| CVE-2023-35078 | Ivanti Endpoint Manager Mobile versions through 11.10 | Authentication bypass vulnerability |
| CVE-2023-5044 | Kubernetes Ingress-nginx | Code injection vulnerability |
Not Just a Cybersecurity Threat: Broader Implications
The report also sheds light on how SVR actors adapt their techniques to keep pace with evolving technology. The NCSC warns that the group has adjusted its approach in response to the increasing reliance on cloud infrastructure, exploiting cloud misconfigurations and weak security practices. This makes them a formidable adversary for organizations that are migrating or already relying heavily on cloud services.
SVR actors have also been linked to recent large-scale attacks, including the supply chain compromise of SolarWinds and a series of spear-phishing campaigns targeting COVID-19 vaccine research. These incidents demonstrate the group’s focus on strategic assets and their potential to impact national security and public health.
APT29’s Arsenal: From Phishing to Supply Chain Attacks
The advisory also outlines the tactics, techniques, and procedures (TTPs) employed by SVR cyber actors. Their arsenal includes spear-phishing campaigns, password spraying, supply chain attacks, and the abuse of trusted relationships. These methods allow them to gain initial access and conduct follow-up operations from compromised accounts.
For instance, in recent campaigns, SVR actors were found to exploit cloud environments using Microsoft Teams accounts impersonating technical support to trick victims into granting access. By compromising poorly secured small business accounts, they were able to create platforms for targeting high-profile organizations.
Infrastructure and Evasion Tactics
SVR cyber actors are known for their ability to remain undetected for extended periods. They frequently use The Onion Router (TOR) network and proxy services to obfuscate their activity. In some cases, they lease infrastructure using fake identities and low-reputation email accounts to avoid detection.
When SVR suspects that their operations have been uncovered, they move quickly to destroy their infrastructure and any evidence on it. This evasive approach makes it difficult for investigators to trace their operations back to the original source.
Recent Exploitations: Zimbra, JetBrains, and More
SVR actors have also been involved in exploiting several high-profile vulnerabilities. For example, the advisory mentions the exploitation of Zimbra mail servers using CVE-2022-27924, a command injection vulnerability that allowed attackers to access user credentials without victim interaction.
More recently, they exploited JetBrains TeamCity’s CVE-2023-42793 vulnerability, enabling arbitrary code execution. This kind of exploitation highlights SVR’s focus on widely used software systems, allowing them to infiltrate a broad range of sectors and geographies.
Mitigations: What Organizations Can Do
In light of these ongoing campaigns, the NCSC and U.S. agencies have provided several recommendations to help organizations defend against SVR cyber actors. These include:
- Rapid deployment of patches and updates: Organizations should prioritize software updates as soon as they become available to close known vulnerabilities.
- Multi-factor authentication: Implementing multi-factor authentication across networks and systems can reduce the risk of unauthorized access.
- Auditing cloud accounts: Regularly auditing cloud-based accounts for unusual activity can help detect intrusions before they escalate.
- Reducing attack surface: Disable unnecessary internet-facing services and remove unused applications to limit points of entry for attackers.