Today, the UK’s National Cyber Security Centre (NCSC), along with the NSA and FBI, issued a stark warning about ongoing cyber threats from groups tied to the Russian government. They are highlighting how these actors exploit vulnerabilities on a large scale.
The latest alert focuses on the risk posed by Moscow’s Foreign Intelligence Service, the SVR. They’re urging organizations to act fast, applying patches and software updates as soon as they can. The SVR is believed to direct a group known as APT29, or Cozy Bear. This group has made headlines for major incidents like the SolarWinds breach and the 2016 attack on the U.S. Democratic National Committee.
Paul Chichester, the NCSC operations director, pointed out that Russian cyber actors are skilled at infiltrating unpatched systems across various sectors. Once they gain access, they exploit that entry to further their goals.
The advisory outlines Cozy Bear’s recent tactics, especially their focus on government entities, think tanks, tech firms, and financial institutions. They’re adept at scanning internet-facing systemslooking for unpatched vulnerabilities, ready to capitalize on them. This means any organization, not just those in high-stakes sectors, could find themselves exposed. Cozy Bear can use compromised systems to host malicious activities, launch follow-up operations, or move into other networks.
The notorious Sunburst incident showed how SolarWinds inadvertently gave Cozy Bear a gateway into U.S. government networks. The advisory details Cozy Bear’s tendency to exploit publicly known vulnerabilities in various products, many of which have been known for over five years and are now patched. Still, these holes can facilitate a range of attacks.
Notably, two vulnerabilities have caught attention recently: CVE-2022-27924 and CVE-2023-42793. The first is a command injection flaw in Zimbra, allowing attackers to inject commands into targeted systems without needing user interaction. Cozy Bear has exploited this vulnerability across hundreds of domains, gaining access to user accounts and emails without alerting the victims.
The second, linked to JetBrains TeamCity, involves a flaw that allows authentication bypass through improper handling of certain paths, paving the way for additional attacks. Given Cozy Bear’s established tactics and past targets, they’re likely to explore other vulnerabilities for access, remote code execution, and escalating privileges.