fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Russian State Hackers Switch Targets After US Joint Advisories

Russian State Hackers Switch Targets After US Joint Advisories

Russian Foreign Intelligence Service (SVR) operators have switched their attacks to target new vulnerabilities in reaction to US govt advisories published last month with info on SVR tactics, tools, techniques, and capabilities used in ongoing attacks.

The warning comes after US and UK governments formally attributed the SolarWinds supply-chain attack and COVID-19 vaccine developer targeting to Russian SVR (aka APT29, Cozy Bear, and The Dukes) operators’ cyber-espionage efforts on April 15.

On the same day, the NSA, CISA, and the FBI informed organizations and service providers about the top five vulnerabilities exploited in SVR attacks against US interests.

In a third advisory issued on April 26, the FBI, DHS, and CIA warned of continued attacks coordinated by the Russian SVR against the US and foreign organizations.

The US federal agencies pointed out that SVR operators commonly use password spraying, exploit the CVE-2019-19781 vulnerability to obtain network access, and deploy WELLMESS malware on compromised systems.

Russian SVR’s response to US and UK advisories

Today, in a new NCSC(UK)-CISA-FBI-NSA joint security advisory [PDF], network defenders are warned to patch systems as promptly as possible to match the speed with which Russian SVR state hackers already changed targets following the April advisories.

“SVR cyber operators appear to have reacted […] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,” according to today’s US-UK joint advisory.

“These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses.

The Russian cyberspies have also begun scanning for Microsoft Exchange servers exposed to ProxyLogon attacks targeting the CVE-2021-26855.

In all, as US and UK cyber-agencies recently observed, the Russian SVR is exploiting multiple vulnerabilities including, but not limited to:

Mitigation advice and guidance

“The SVR targets organizations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time-bound targeting, for example, COVID-19 vaccine targeting in 2020,” the joint advisory reads.

“Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage.”

At-risk government and privately-held organizations are urged to follow mitigation advice and guidance shared in the joint advisory and use Snort and YARA detection rules in the appendix to detect and defend against ongoing Russian SVR activity.

Below you can find a quick rundown of important mitigation measures for defending against these ongoing attacks:

  • Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors, and force them to use higher equity tooling to gain a foothold in the networks.
  • By implementing good network security controls and effectively managing user privileges, organizations will help prevent lateral movement between hosts. This will help limit the effectiveness of even complex attacks.
  • Detecting supply chain attacks, such as the Mimecast compromise, will always be difficult. An organization may detect this sort of activity through heuristic detection methodologies such as the volume of emails being accessed or by identifying anomalous IP traffic.
  • Organizations should ensure sufficient logging (both cloud and on-premises) is enabled and stored for a suitable amount of time to identify compromised accounts, exfiltrated material, and actor infrastructure.
  • Use Microsoft’s mailbox auditing action called ‘MailItemsAccessed’ to investigate the compromise of email accounts and identify emails accessed by users. This gives organizations forensic defensibility to help assert which individual pieces of mail were or were not maliciously accessed by an attacker.

CISA also published today a summary of mitigation strategies [PDF] shared in the joint advisories issued during the last month to help secure networks against Russian SVR attacks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us