Analysis Summary

Cybersecurity agencies in the United States and the United Kingdom warned about APT29 threat actors connected to Russia's Foreign Intelligence Service (SVR) targeting Zimbra and JetBrains TeamCity servers that are susceptible to attacks.

In a joint advisory, the NSA, FBI, U.S. Cyber Command's Cyber National Mission Force (CNMF), and the U.K.'s NCSC warn network defenders to patch exposed servers to prevent persistent attacks. According to the four cybersecurity authorities, the APT uses the CVE-2022-27924 and CVE-2023-42793 exploits to target victims globally across a range of sectors by targeting unpatched Zimbra and TeamCity servers that are publicly exposed online.

While North Korean threat groups and ransomware groups both used CVE-2023-42793 to gain initial access and undertake supply-chain attacks, CVE-2022-27924 has been exploited since at least August 2022 to steal email account credentials from unpatched Zimbra Collaboration instances. The authoring agencies determine that the SVR threat actors are capable and motivated to exploit more CVEs for initial access, remote code execution, and privilege escalation based on their TTPs and prior targeting.

The report advises defenders to implement mitigations and deploy security updates to minimize security breaches. It lists twenty vulnerabilities that have been discovered and resolved during the previous six years. This SVR threat group, also known as Cozy Bear, Midnight Blizzard (formerly known as Nobelium), and the Dukes, has long focused on government and business institutions in the US and Europe.

More than three years ago, in April 2021, the NSA, FBI, and CISA released a similar advisory in response to the APT29’s compromise of several federal agencies in the United States, which was preceded by their organized supply-chain attack on SolarWinds. Additionally, in November 2023, they gained access to Microsoft 365 accounts of NATO countries to collect data about international policy. They also compromised the Exchange Online accounts of Microsoft executives and other businesses.

More recently, in February, the Five Eyes (FVEY) intelligence partnership issued a warning, stating that APT29 has begun to target cloud services used by potential victims. This activity poses a global threat to both the public and private sectors, necessitating a careful examination of security procedures, such as setting patch priorities and maintaining software updates.

Impact

• Credential Theft
• Code Execution
• Privilege Escalation

Remediation

• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT29. Also, prioritize patching known exploited vulnerabilities and zero-days.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.