Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild

Technology

Cyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous public disclosures of their attack methods, according to a new advisory jointly published by intelligence agencies from the U.K. and U.S. Friday.

“SVR cyber operators appear to have reacted […] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,” the National Cyber Security Centre (NCSC) said.

These include the deployment of an open-source tool called Sliver to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.

password auditor

The development followed the public attribution of SVR-linked actors to the SolarWinds supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.

The attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR’s APT29 group was using as initial access points to infiltrate U.S. and foreign entities.

“The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example COVID-19 vaccine targeting in 2020,” the NCSC said.

This was followed by separate guidance on April 26 that shed more light on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.

Now according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to “rapidly” weaponize recently released public vulnerabilities that could enable initial access to their targets.

“Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,” the agency said.

Products You May Like

Articles You May Like

Fitness influencer dies months after being shot in West LA robbery – NBC Los Angeles
Congress avoids a shutdown but leaves ‘a big mess’ for Trump and Republicans in 2025 – NBC Los Angeles
Honor Magic 7 Lite Listed Online; Colour Options, RAM and Storage Configurations Revealed
Publishers Weekly Announces Their Person of the Year
Nike (NKE) earnings Q2 2025