Energetic Bear Cyber Attack Detection

Last week the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released a joint security advisory related to recently discovered cyberattacks of Russian state-sponsored cyber-espionage unit. Energetic Bear (also known as Dragonfly, Crouching Yeti, TEMP.Isotope, TeamSpy, Berserk Bear, Havex, and Koala) is actively interested in the US elections this time around. Over the past nine months, the group has attacked dozens of state, local, territorial, and tribal government networks housing the elections information, and aviation networks, according to the document. In at least two cases, their attacks have been successful. Some attacks have been known for a long time, but most have passed under the radars of security researchers.

Vulnerabilities exploited by Energetic Bear

During the attacks, Energetic Bear exploited relatively fresh vulnerabilities for which patches are available, to compromise networking gear, infiltrate internal networks, discover and exfiltrate sensitive data. The document mentions Citrix Directory Traversal Bug (CVE-2019-19781), a Microsoft Exchange remote code execution flaw (CVE-2020-0688), Fortinet VPN vulnerability (CVE-2018-13379), and Exim SMTP vulnerability (CVE 2019-10149). Attackers also exploit Zerologon vulnerability in Windows Servers (CVE-2020-1472) to collect Windows Active Directory credentials and use them for lateral movement.

Detection content to uncover their attacks

To help you proactively defend against possible Energetic Bear attacks reported in AA20-296A alert, we have prepared a full list of the most relevant detection content that addresses tools, techniques and exploited vulnerabilities. All content is directly mapped to the MITRE ATT&CK® framework and contains relevant references and descriptions:

To view SOC content addressing the activities of the reported Russian state-sponsored group, follow the links:

• Content covering attacks attributed to the Energetic Bear group reported in AA20-296A
• Techniques of Russian threat actors reported in AA20-296A 

As you can see, critical vulnerabilities and available exploits to them are of particular interest to advanced threat actors. Three of the five vulnerabilities mentioned in this article are also actively exploited by Chinese state-sponsored actors, according to another Cybersecurity Advisory by NSA. Get the whole list of detection content filtered to address the vulnerabilities mentioned in AA20-296A Alert:

• Content to detect exploitation of CVE reported in AA20-296A

To view all relevant techniques, threat actors, and vulnerabilities as a single search result, check out this link:

• Content covering tools and techniques of the APT group, and exploited vulnerabilities 

For more enhanced analytics on the related TTPs, visit the MITRE ATT&CK page at Threat Detection Marketplace or check the MITRE ATT&CK map on the website. 

Supercharge your threat detection and response speed, leveraging Continuous Security Intelligence to streamline daily SOC operations with Continuous Content Management.

Ready to try out SOC Prime Threat Detection Marketplace? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the Threat Detection Marketplace community.