Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial

Russian state-sponsored cyber actors targeting U.S. critical infrastructure

Threat Level – Amber | Vulnerability Report
Download PDF

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) revealed that Russian state-sponsored threat actors targeted U.S. defense contractors from January 2020 to February 2022. The threat actors exfiltrated sensitive data from small and large companies in the U.S. working on defense and intelligence contracts, including missile development, vehicle & aircraft and software development.

Threat actors gain initial access by using brute force to identify valid account credentials for domain and M365 accounts. Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources such as SharePoint pages user-profiles and user emails. They further used harvested credentials in conjunction with known vulnerabilities CVE-2020-0688 & CVE-2020-17144 in the Microsoft exchange server to escalate privileges and gain remote code execution (RCE) on the exposed applications. In addition, they have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrated credentials and export copies of the AD database “ntds.dit”. In multiple breaches, they maintained persistence for at least 6 months in the network continuously exfiltrating sensitive emails and data.

Organizations can mitigate the risk by following the recommendations: •Monitor the use of stolen credentials. •Keep all operating systems and software up to date. •Enable multifactor authentication (MFA) for all users, without exception. •

The Techniques commonly used by Russian cyber actor, APT28 are:

TA0043: Reconnaissance

TA0001: Initial Access

TA0004: Privilege Escalation

TA0005: Defense Evasion

TA0006: Credential Access

TA0007: Discovery

TA0009: Collection

TA0003: Persistence

TA0008: Lateral Movement

TA0011: Command and Control

T1027: Obfuscated Files or Information

T1133: External Remote Services

T1190: Exploit Public-Facing Application

T1083: File and Directory Discovery

T1482: Domain Trust Discovery

T1213.002: Data from Information Repositories: SharePoint

T1090.003: Proxy: Multi-hop Proxy

T1589.001: Gather Victim Identity Information: Credentials

T1003.003: OS Credential Dumping: NTDS

T1110.003: Brute Force: Password Spraying

T1566.002: Phishing: Spearphishing Link

T1078.002: Valid Accounts: Domain Accounts

T1078.004: Valid Accounts: Cloud Accounts

 

Actor Details

Vulnerability Details

References

https://www.cisa.gov/uscert/ncas/alerts/aa22-047a

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox