In a joint advisory issued on October 10, 2024, the US and UK cyber agencies have warned of ongoing attacks by Russian hackers targeting vulnerable Zimbra and JetBrains TeamCity servers.
The advisory, released by the NSA, FBI, US Cyber Command’s Cyber National Mission Force (CNMF), and the UK’s National Cyber Security Centre (NCSC), highlights the tactics, techniques, and procedures (TTPs) employed by the Russian Foreign Intelligence Service (SVR) in these cyber operations.
The SVR, also known as APT29, Cozy Bear, Midnight Blizzard (formerly Nobelium), and the Dukes, has been consistently targeting US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations.
Their operations have posed a global threat to government and private sector organizations, particularly in support of Russia’s ongoing invasion of Ukraine since February 2022.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The hackers have been exploiting vulnerabilities in Zimbra and TeamCity servers at a mass scale to target victims worldwide across various sectors.
Specifically, they have used CVE-2022-27924, a command injection vulnerability in Zimbra, to access user credentials and mailboxes without victim interaction.
Additionally, they have exploited CVE-2023-42793, an authentication bypass vulnerability in JetBrains TeamCity, to execute arbitrary code and gain unauthorized access to software developers’ networks.
The advisory lists over two dozen vulnerabilities that the SVR has exploited or is likely to exploit for initial access, remote code execution, and privilege escalation.
These vulnerabilities include issues in Cisco IOS XE Software, RHSA GNU C Library, Haxx Libcur, Supermicro X11SSM-F, and Google Android, among others.
To counter these threats, the authoring agencies recommend that organizations prioritize rapid deployment of patches and software updates, reduce their attack surface by disabling unnecessary Internet-accessible services, and perform continuous threat hunting activities.
They also emphasize the importance of proper system configuration, multi-factor authentication, and robust logging for authentication services and Internet-facing functions.
The NCSC operations director, Paul Chichester, stressed that Russian cyber actors are highly capable of accessing unpatched systems across various sectors and can exploit this access to meet their objectives.
The ongoing exploitation of vulnerabilities by the SVR underscores the need for organizations to remain vigilant and proactive in their cybersecurity efforts.
By following the recommended mitigations and staying informed about the latest threats, organizations can better protect themselves against these sophisticated cyber attacks.
Mitigations
- Prioritize Patch Deployment: Rapidly deploy patches and software updates as soon as they become available.
- Reduce Attack Surface: Disable unnecessary Internet-accessible services and restrict access to trusted networks.
- Perform Continuous Threat Hunting: Regularly monitor systems for signs of unauthorized activity.
- Implement Multi-Factor Authentication: Require additional identity challenges for new device enrollments and notify users of successful registrations.
- Enable Robust Logging: Monitor authentication services and Internet-facing functions for suspicious activity.
By taking these steps, organizations can significantly improve their cybersecurity posture and reduce the risk of falling victim to these targeted attacks.
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar