Tactical actions organisations can take to defend against recent APT29 activity

On Thursday 16 July 2020, the NCSC released an advisory on how Russian cyber actors are targeting organisations involved in COVID-19 vaccine development.

The advisory details four activities APT29 are carrying out as part of this ongoing campaign, focusing on the initial stages of a cyber attack:

• Exploiting vulnerabilities in Internet-facing systems to obtain authentication credentials;
• Spearphishing employees to obtain authentication credentials;
• Using legitimate credentials to maintain access to systems and applications; and,
• Deploying custom malware to systems to conduct further actions.

In this blog, I outline the tactical actions organisations should consider taking to defend against each of these activities.

Organisations should defend against all previous tools and techniques APT29 have been observed using, not just the four activities listed in this advisory. For more information on this and mitigations that can be taken, see here.

Exploiting vulnerabilities in Internet-facing systems to obtain authentication credentials

MITRE ATT&CK techniques: Exploit Public-Facing Application (T1190)

Improve IT hygiene

• Perform a vulnerability scan of Internet-facing IP address ranges to identify any vulnerable services, by using vulnerability scanning tools such as Tenable.io. Alternatively, engage a cyber security company to assist you with this by providing penetration testing services.
• Patch Internet-facing systems and services to remove vulnerabilities attackers could exploit. Upgrade or decommission systems that can not be patched. Internet-facing vulnerabilities that can be exploited by attackers should not be risk accepted.
• Manually confirm security patches have been applied to services commonly exploited by attackers to ensure these services have not been overlooked by normal patching processes. This should include instances of Citrix, Pulse Secure, FortiGate or Zimbra.
• Review logs of any vulnerable systems identified to investigate whether the vulnerabilities were previously exploited by attackers. If no logs are available for a system, consider re-building it or engaging incident response experts to investigate it for evidence of compromise.
• Restrict the use of domain administrator accounts to prevent credentials for these accounts being exposed on servers at risk of compromise. Restrict accounts in the domain admins group from logging into workstations and servers, to start to implementing a three-tiered administration model.

Spearphishing employees to obtain authentication credentials

MITRE ATT&CK techniques: Phishing (T1566)

Uplift email and web filtering

• Deploy an advanced email filtering tool to help protect against phishing emails, for example, Office 365 Advanced Threat Protection.
• Deploy a web filtering tool to control access to Internet traffic with security policies, protect against web-based threats and prevent credential phishing attacks, for example, Palo Alto Networks Prisma Access.
• Configure email and web filtering tooling to effectively protect against threats, by working alongside a Red Team to tune their configuration.

Improve user awareness

• Deploy a phishing reporting button to allow employees to easily report suspected phishing emails and security teams to rapidly respond, such as Cofense Reporter.
• Engage a phishing attack simulation service, such as Cofense PhishMe, to increase employee awareness and drive employee behavioural change in response to phishing attacks.

Using legitimate credentials to maintain access to systems and applications

MITRE ATT&CK techniques: Valid Accounts (T1078), External Remote Services (T1133)

Enforce strong authentication

• Enforce multi-factor authentication for all remote access services, such as VPNs, to reduce the impact of password compromises. Consider a phased deployment targeting high-risk users first, including administrators, IT teams and senior management.
• Secure access to O365 by following Microsoft good practice security advice for O365 including using multi-factor authentication, Azure AD conditional access, Cloud App Security and taking action to improve the Office 365 Secure Score.
• Onboard email and remote access authentication logs to a cloud-based SIEM, such as Azure Sentinel, to identify the use of compromised credentials. Configure rules to detect anomalous behaviour and common behaviours carried out by attackers.

Deploying custom malware to systems to conduct further actions

MITRE ATT&CK techniques: Command and Scripting Interpreter (T1059)

Protect endpoints from threats

• Deploy an advanced endpoint agent to all workstations and servers to detect and prevent attacker activity, such as Windows Defender ATP or Cortex XDR. Ensure the endpoint agents supports the Windows Antimalware Scan Interface (AMSI) and blocking mode is enabled.
• Onboard a “Managed Detection and Response” service to hunt for and rapidly contain sophisticated cyber threats.
• Restrict what can be executed on workstations to reduce the risk of phishing attacks by restricting the use of PowerShell with constrained language mode, configuring scripting file-types to open with notepad by default (e.g. VBS, JS, HTA and VBS), blocking execution of mshta.exe and deploying Windows Defender Attack Surface Reduction rules.
• Restrict the execution of Microsoft Office macros on workstations to reduce the risk of phishing attacks by considering the advice here and targeting vulnerable user groups who are not required to use macros for their daily work. Key mitigations include blocking macros from running in documents from the Internet and restricting macros to documents stored in trusted locations.

Tune detection capabilities

• Configure endpoint agents to detect the malware used by the attacker, by configuring alerts on the Indicators of compromise (IOCs) listed in the advisory. Also, configure rules to detect the behaviours carried out by the malware referenced in this advisory.
• Configure the web filtering tools to detect the command and control protocols used by the attacker, by configuring alerts on the IOCs listed in the advisory.
• Engage a Red Team to simulate ATP29 activity to provide an opportunity to test the effectiveness of existing defences and tune detection capabilities.

For more advice on how to implement tactical improvements in response to new threats or cyber attacks see here:

Seek assistance from incident response experts if you detect an active cyber attack on your network when making security improvements.