Tactical actions organisations can take to defend against recent APT29 activity

APT29 Cozy Bear

On Thursday 16 July 2020, the NCSC released an advisory on how Russian cyber actors are targeting organisations involved in COVID-19 vaccine development.

The advisory details four activities APT29 are carrying out as part of this ongoing campaign, focusing on the initial stages of a cyber attack:

  • Exploiting vulnerabilities in Internet-facing systems to obtain authentication credentials;
  • Spearphishing employees to obtain authentication credentials;
  • Using legitimate credentials to maintain access to systems and applications; and,
  • Deploying custom malware to systems to conduct further actions.

In this blog, I outline the tactical actions organisations should consider taking to defend against each of these activities.

Organisations should defend against all previous tools and techniques APT29 have been observed using, not just the four activities listed in this advisory. For more information on this and mitigations that can be taken, see here.

Exploiting vulnerabilities in Internet-facing systems to obtain authentication credentials

MITRE ATT&CK techniques: Exploit Public-Facing Application (T1190)

Improve IT hygiene

  • Perform a vulnerability scan of Internet-facing IP address ranges to identify any vulnerable services, by using vulnerability scanning tools such as Tenable.io. Alternatively, engage a cyber security company to assist you with this by providing penetration testing services.
  • Patch Internet-facing systems and services to remove vulnerabilities attackers could exploit. Upgrade or decommission systems that can not be patched. Internet-facing vulnerabilities that can be exploited by attackers should not be risk accepted.
  • Manually confirm security patches have been applied to services commonly exploited by attackers to ensure these services have not been overlooked by normal patching processes. This should include instances of Citrix, Pulse Secure, FortiGate or Zimbra.
  • Review logs of any vulnerable systems identified to investigate whether the vulnerabilities were previously exploited by attackers. If no logs are available for a system, consider re-building it or engaging incident response experts to investigate it for evidence of compromise.
  • Restrict the use of domain administrator accounts to prevent credentials for these accounts being exposed on servers at risk of compromise. Restrict accounts in the domain admins group from logging into workstations and servers, to start to implementing a three-tiered administration model.

Spearphishing employees to obtain authentication credentials

MITRE ATT&CK techniques: Phishing (T1566)

Uplift email and web filtering

  • Deploy an advanced email filtering tool to help protect against phishing emails, for example, Office 365 Advanced Threat Protection.
  • Deploy a web filtering tool to control access to Internet traffic with security policies, protect against web-based threats and prevent credential phishing attacks, for example, Palo Alto Networks Prisma Access.
  • Configure email and web filtering tooling to effectively protect against threats, by working alongside a Red Team to tune their configuration.

Improve user awareness

  • Deploy a phishing reporting button to allow employees to easily report suspected phishing emails and security teams to rapidly respond, such as Cofense Reporter.
  • Engage a phishing attack simulation service, such as Cofense PhishMe, to increase employee awareness and drive employee behavioural change in response to phishing attacks.

Using legitimate credentials to maintain access to systems and applications

MITRE ATT&CK techniques: Valid Accounts (T1078), External Remote Services (T1133)

Enforce strong authentication

Deploying custom malware to systems to conduct further actions

MITRE ATT&CK techniques: Command and Scripting Interpreter (T1059)

Protect endpoints from threats

Tune detection capabilities

  • Configure endpoint agents to detect the malware used by the attacker, by configuring alerts on the Indicators of compromise (IOCs) listed in the advisory. Also, configure rules to detect the behaviours carried out by the malware referenced in this advisory.
  • Configure the web filtering tools to detect the command and control protocols used by the attacker, by configuring alerts on the IOCs listed in the advisory.
  • Engage a Red Team to simulate ATP29 activity to provide an opportunity to test the effectiveness of existing defences and tune detection capabilities.

For more advice on how to implement tactical improvements in response to new threats or cyber attacks see here:

Seek assistance from incident response experts if you detect an active cyber attack on your network when making security improvements.

Hi, my name is Will. I’m a cyber security consultant living in London. I help companies defend against cyber attacks. Opinions my own. Read more willoram.com