UK and US share more vulnerabilities exploited by Russia's APT29 hackers

The UK and US governments' cybersecurity agencies have published today an in-depth report detailing techniques used by a group of Russian state hackers known as APT29, Cozy Bear, or the Dukes.

The report comes three weeks after US and UK authorities both accused the APT29 group of orchestrating the 2020 SolarWinds supply chain attack, which the two governments claimed was carried out by teams of hackers part of the Russian Foreign Intelligence Service, also known as the SVR, the successor organization to the well-known KGB.

On the same day with these accusations, three US cybersecurity agencies—CISA, the FBI, and NSA—also published a joint technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to breach organizations across the world.

New vulns exposed

But in a new report [PDF] published today, the three US security agencies, together with the UK's National Cyber Security Centre expanded the initial findings and added additional vulnerabilities that are also under attack and actively exploited by APT29. These include:

• CVE-2018-13379 FortiGate (known)
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-9670 Zimbra (known)
• CVE-2019-11510 Pulse Secure (known)
• CVE-2019-19781 Citrix (known)
• CVE-2019-7609 Kibana
• CVE-2020-4006 VMWare (known)
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-21972 VMWare vSphere
• CVE-2021-26855 Microsoft Exchange

Of note is the last vulnerability on the list, CVE-2021-26855, a bug also known as ProxyLogon, which was discovered being exploited in the wild by Chinese government hackers earlier this year.

The UK NCSC report confirms that as soon as news of those attacks surfaced online, SVR hackers also jumped on the exploitation bandwagon to compromise and backdoor Exchange email servers before their owners installed Microsoft's patch.

Previous report forced APT29 to change tactics

Furthermore, the UK NCSC also noted that after the agency released a joint advisory together with CISA, the FBI, and NSA back in July 2020 detailing APT29's use of the WellMess and WellMail malware strains, the group reacted accordingly.

"SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders," the UK agency said today.

"These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses."

"The use of the Sliver framework was likely an attempt to ensure access to a number of the existing WellMess and WellMail victims was maintained following the exposure of those capabilities," UK officials said. "As observed with the SolarWinds incidents, SVR operators often used separate command and control infrastructure for each victim of Sliver."