close
close
darbo

NSA issues updated guidance on Russian SVR cyber operations

Posted on by Nargang
NSA issues updated guidance on Russian SVR cyber operations

security software

The National Security Agency (NSA) has joined the Federal Bureau of Investigation (FBI), the US National Cyber ​​Task Force (CNMF) and the UK’s National Cyber ​​Security Center (NCSC) to warn network defenders about conducting business in the Russian Federation. Intelligence Service (SVR) cyber threats and recommend rapid countermeasures for security patches and mitigation systems.

In a press statement, Dave Luber, the NSA’s director of cybersecurity, said: “This activity is a global threat to government and the private sector and requires a thorough review of security controls, including prioritizing patches and keeping software- up to date. Our updated guidance will help network defenders detect these intrusions and ensure they take steps to secure their systems.”

Joint Cyber ​​Security Advisory (CSA), “Update on SVR Cyber ​​Operations and Exploitation of Vulnerabilities,” highlights how Russian SVR cyber actors currently exploit a set of software vulnerabilities and have plans to exploit additional vulnerabilities. It provides a detailed list of publicly disclosed Common Vulnerabilities and Exposures (CVEs) and a list of mitigations to improve the cybersecurity posture based on SVR cyber actor operations.

According to CSA, SVR cyber actors use a range of tactics, techniques and procedures (TTPs), including but not limited to spearphishing, password spraying, supply chain and trust abuse, custom and tailored malware, cloud mining and life from the earth techniques. They gain initial access, escalate privileges, move laterally, maintain persistence across victim networks and cloud environments, and exfiltrate information. They often hide their activity using Tor, leased and compromised infrastructure, and proxies.

To disrupt this activity, the report’s authors recommend, among other mitigations, establishing authorized devices and scanning systems accessing their networks that do not adhere to the baseline.

Since 2021, SVR actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Dukes and Cozy Bear – have consistently targeted US, European and global entities in the defense, technology and finance sectors. Their intent is to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine.

recommendation

Creative agencies recommend that organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity.

      • Prioritize the rapid deployment of software patches and updates as soon as they become available. Enable automatic updates where possible.
      • Reduce your attack surface by disabling Internet-accessible services you don’t need or restricting access to trusted networks and removing unused applications and utilities from workstations and development environments.
      • Perform continuous threat hunting activities.
      • Ensure your systems are properly configured – check for open ports and outdated or unused protocols, especially on systems with Internet access.
      • Isolate Internet-facing services in a network demilitarized zone (DMZ) to reduce exposure of internal networks.
      • Require and enforce multi-factor authentication whenever possible.
      • Require additional identity challenges to enroll new devices when users are allowed to self-enroll multifactor authentication mechanisms or to enroll devices in the corporate network.
      • Notify users across multiple platforms when devices have been successfully enrolled to help identify unexpected enrollments. Train and encourage users to notice and report unexpected records.
      • Enable robust registration for authentication services and Internet access features.
      • Regularly audit cloud-based accounts and applications with administrative email access for unusual activity.
      • Limit the lifetime of token access and monitor evidence of token reuse.
      • Implement least privileged access and disable external management capabilities.
      • Baseline authorized devices and apply additional control to systems accessing network resources that do not adhere to the baseline.
      • Disable remote downloading of information to unregistered devices when possible.

Creative agencies recommend that you test your existing security controls to assess how they perform against the techniques described in this notice.

Read the full report here.

Datacap - We solve payment problems