Last week the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released a joint security advisory related to recently discovered cyberattacks of Russian state-sponsored cyber-espionage unit. Energetic Bear (also known as Dragonfly, Crouching Yeti, TEMP.Isotope, TeamSpy, Berserk Bear, Havex, and Koala) is actively interested in the US elections this time around. Over the past nine months, the group has attacked dozens of state, local, territorial, and tribal government networks housing the elections information, and aviation networks, according to the document. In at least two cases, their attacks have been successful. Some attacks have been known for a long time, but most have passed under the radars of security researchers.
Vulnerabilities exploited by Energetic Bear
During the attacks, Energetic Bear exploited relatively fresh vulnerabilities for which patches are available, to compromise networking gear, infiltrate internal networks, discover and exfiltrate sensitive data. The document mentions Citrix Directory Traversal Bug (CVE-2019-19781), a Microsoft Exchange remote code execution flaw (CVE-2020-0688), Fortinet VPN vulnerability (CVE-2018-13379), and Exim SMTP vulnerability (CVE 2019-10149). Attackers also exploit Zerologon vulnerability in Windows Servers (CVE-2020-1472) to collect Windows Active Directory credentials and use them for lateral movement.
Detection content to uncover their attacks
To help you proactively defend against possible Energetic Bear attacks reported in AA20-296A alert, we have prepared a full list of the most relevant detection content that addresses tools, techniques and exploited vulnerabilities. All content is directly mapped to the MITRE ATT&CK® framework and contains relevant references and descriptions:
To view SOC content addressing the activities of the reported Russian state-sponsored group, follow the links:
- Content covering attacks attributed to the Energetic Bear group reported in AA20-296A
- Techniques of Russian threat actors reported in AA20-296A
As you can see, critical vulnerabilities and available exploits to them are of particular interest to advanced threat actors. Three of the five vulnerabilities mentioned in this article are also actively exploited by Chinese state-sponsored actors, according to another Cybersecurity Advisory by NSA. Get the whole list of detection content filtered to address the vulnerabilities mentioned in AA20-296A Alert:
To view all relevant techniques, threat actors, and vulnerabilities as a single search result, check out this link:
Supercharge your threat detection and response speed, leveraging Continuous Security Intelligence to streamline daily SOC operations with Continuous Content Management.