Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets' networks as a legitimate pentesting exercise.
Now, the UK's National Cyber Security Centre (NCSC) and the US warn, the SVR is busy exploiting a dozen critical-rated vulns (including RCEs) in equipment ranging from Cisco routers through to VMware virtualization kit – and the well-known Pulse Secure VPN flaw, among others.
"In one example identified by the NCSC, the actor had searched for authentication credentials in mailboxes, including passwords and PKI keys," warned the GCHQ offshoot today.
Roughly equivalent to MI6 mixed with GCHQ, the SVR is Russia's foreign intelligence service and is known to infosec pros as APT29. A couple of weeks ago, Britain and the US joined forces to out the SVR's Tactics, Techniques and Procedures (TTPs), giving the world's infosec defenders a chance to look out for the state-backed hackers' fingerprints on their networked infrastructure.
"SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders," said the poker-faced NCSC today, in an advisory detailing precisely what those changed TTPs are.
- A severe hole in Pulse Secure's Zero Trust Remote Access VPN software;
- An arbitrary code execution vuln in F5 BIG-IP app delivery controllers;
- An exploitable flaw in the Cisco RV320 WAN router (live code for the exploit exists in the wild);
- A critical vuln in Citrix (Netscaler) ADC load-balancers (publicly disclosed, ironically, by now-US-sanctioned Positive Technologies);
- A critical RCE vuln in VMware's HTML5 client for its vSphere hybrid cloud suite; and
- An exploitable hole in Oracle's WebLogic Server permitting remote code execution
On top of all that the SVR is also posing as legitimate red-team pentesters: looking for easy camouflage, the spies hopped onto GitHub and downloaded the free open-source Sliver red-teaming platform, in what the NCSC described as "an attempt to maintain their accesses."
There are more vulns being abused by the Russians and the full NCSC advisory on what these are can be read on the NCSC website. The advisory includes YARA and Snort rules.
The self-preservation society
Separately, the NCSC issued a blog post this morning warning public sector operators of smart city infrastructure to be wary of unnamed hostile foreign countries using these installations to steal data and more.
Comparing the risks to The Italian Job, NCSC chief techie Ian Levy wrote: "As part of an elaborate heist, a dodgy computer professor (played by Benny Hill) switches magnetic storage tapes for the Turin traffic control to create a gridlock."
Drawing on this, the NCSC has published a set of "connected places cyber security principles" for operators of public spaces with connectivity kit and sensors in them.
Why the sudden focus on smart streetlights and all the rest of it? Though the NCSC wouldn't be drawn, a clue lies in El Reg's inbox. For the past few years Huawei has been one of the most aggressively marketed smart city vendors. The Chinese company's website boasts of its "smart city solution service", which consists of covering your dumb pavements and stupid trees in sensors that may or may not be remotely accessible by Beijing.
More prosaically, the risk in smart cities is the direct control of operational technology; industrial equipment such as CCTV, streetlights and access control systems. We understand at least one UK council is removing some smart city gear after having had a think about the wisdom of installing it. ®