United States government security agencies, including the NSA, have released a joint advisory warning citizens of the most threatening security exploits being used by the Russian Foreign Intelligence Service (SVR). The SVR’s cyber department has previously been nicknamed Cozy Bear, APT29, and The Dukes by various cybersecurity researchers who have tracked them over the years. Unsurprisingly, Cozy Bear is associated with a staggering amount of cyberattacks in the last five years – Most notably, the SolarWinds attack last year, which the US officially pinned on the group this month.
In the report, the agency outline that SVR/Cozy Bear, “frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. This targeting and exploitation encompasses U.S. and allied networks, including national security and government-related systems.”
As well as SolarWinds, SVR/Cozy Bear has been behind a number of attacks in the last 12 months. These include targeting COVID-19 research facilities through deploying WellMess malware and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse. SVR cyber actors also used authentication abuse tactics following SolarWinds-based breaches.
The SVR/Cozy Bear has exploited — and continues to successfully exploit —software vulnerabilities to gain initial footholds into victim devices and networks. Outlined in the report, the 5 most notable exploits are as follows:
CVE-2018-13379 – This exploit concerns Fortinet. In Fortinet Secure Sockets Layer (SSL) Virtual Private Network (VPN) web portals, an ImproperLimitation of a Pathname to a Restricted Directory (“Path Traversal”) allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. Threat actors have extensively used this vulnerability in the past to target government agencies and corporate networks, including U.S. govt elections support systems, COVID-19 research organizations, and more recently, to deploy the Cring ransomware.In November 2020, a threat actor leaked the credentials for almost 50,000 Fortinet VPN devices on a hacker forum.
CVE-2019-9670 – An exploit affecting Synacor Zimbra Collaboration Suite, the mailboxd component has an XML External Entity injection (XXE) vulnerability.
CVE-2019-11510 – In Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. Pulse Secure VPNs have been a favorite for threat actors for some time, being used to gain access to US government networks, attack hospitals, and deploy ransomware on networks.
CVE-2019-19781 – Citrix Application Delivery Controller (ADC) and Gateway allow directory traversal. The CVE-2019-19781 exploit is known to be used by threat actors, including ransomware gangs, to gain access to corporate networks and deploy malware.
CVE-2020-4006 – VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector have a command injection vulnerability. In December 2020, the US government warned that Russian state-sponsored threat actors were exploiting this vulnerability to deploy web shells on vulnerable servers and exfiltrate data.
The report has given several mitigation steps for system owners:
NSA, CISA, and FBI recommend that critical system owners prioritize the following mitigation actions to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, ongoing operations, and competitive advantage. Additionally, due to the various systems and networks that could be impacted outside of these sectors, NSA, CISA, and FBI recommend that the following mitigations be prioritized for action by all network defenders.
While some vulnerabilities have specific additional mitigations below, the following general mitigations apply:
- Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.
- Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in device configurations.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.
- Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.
- Adopt a mindset that compromise happens: prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating.
As the SVR/Cozy Bear has been utilizing a combination of these exploits in their attacks, it is strongly advised that all administrators install the associated security updates immediately.
The NSA warned last year that two of these exploits, CVE-2019-11510 and CVE-2019-19781, are also in the top 25 vulnerabilities utilized by China state-sponsored hackers.
History of the Group Abusing The Exploits: SVR/Cozy Bear
There is not a widely agreed upon date of Cozy Bear’s first appearance. Researchers have found traces in one of their malware strains, MiniDuke, that points to being active since 2008. Other sources note Cozy Bear first came to fame when hacking minor diplomatic entities in 2010.
As well as MiniDuke, Cozy Bear gained notoriety, developing several other Malware strains in the early 2010s. These include CozyDuke, Cosmicduke, OnionDuke, HAMMERTOSS, PolyglotDuke, RegDuke, FatDuke, and Seaduke.
Cozy Bear is known to program their Malware in assembly language. Assembly is the lowest programming language used, highlighting the groups’ skills. Furthermore, Assembly is the fastest language due to its implied closeness to the hardware; this gives their malware strains lightning-fast processing times.
In March 2014, a Washington, D.C.-based private research institute was found to have Cozyduke (Trojan.Cozer) on their network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables. By July the group had compromised government networks and directed Cozyduke-infected systems to install Miniduke onto a compromised network.
In the summer of 2014, digital agents of the Dutch General Intelligence and Security Service infiltrated Cozy Bear. They found that these Russian hackers were targeting the US Democratic Party, State Department and White House. Their evidence influenced the FBI’s decision to open an investigation.
In August 2015 Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation.
In June 2016, Cozy Bear was implicated alongside the hacker group Fancy Bear in the Democratic National Committee cyber attacks. While the two groups were both present in the Democratic National Committee’s servers at the same time, they appeared to be unaware of the other, each independently stealing the same passwords and otherwise duplicating their efforts. A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC’s network for over a year, Fancy Bear had only been there a few weeks. Cozy Bear’s more sophisticated tradecraft and interest in traditional long-term espionage suggest that the group originates from a separate Russian intelligence agency.
On February 3, 2017, the Norwegian Police Security Service (PST) reported that attempts had been made to spearphish the email accounts of nine individuals in the Ministry of Defence, Ministry of Foreign Affairs, and the Labour Party. The acts were attributed to Cozy Bear, whose targets included the Norwegian Radiation Protection Authority, PST section chief Arne Christian Haugstøyl, and an unnamed colleague. Prime Minister Erna Solberg called the acts “a serious attack on our democratic institutions.”
In February 2017, it was revealed that Cozy Bear and Fancy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried to gain access to secret government documents.
Suspicions that Cozy Bear had ceased operations were dispelled in 2019 by the discovery of three new malware families attributed to Cozy Bear: PolyglotDuke, RegDuke and FatDuke. This shows that Cozy Bear did not cease operations, but rather had developed new tools that were harder to detect. Target compromises using these newly uncovered packages are collectively referred to as Operation Ghost.
And most recently, Cozy Bear was found to be behind the 2020 SolarWinds attack, a supply-chain attacked that crippled large parts of the US. Given their history, and the number of critical exploits the internet is faced with now, it’s unlikely this will be last we’ll hear of the group.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.