Rewterz Threat Alert – Russian SVR/APT29 Reactivated After SolarWinds Supply Chain Attack

Severity

High

Analysis Summary

The FBI and the CISA are warning of continued cyberthreats stemming from Russia’s Foreign Intelligence Service, or SVR, often associated with SolarWinds supply chain attack. Several tools and techniques used by the SVR have been discovered, including the exploitation of several well-known vulnerabilities found in SolarWinds products and VPNs that allow for remote access to networks. 

Attackers associated with the SVR continue to update their techniques to avoid detection. Following TTPs have been observed recently:

• Shift from planting malware in networks to hacking cloud-based applications, especially email, to steal data and other information
• The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software
• Usage of some of the same techniques leveraged in the SolarWinds supply chain attack to target others
• Password spraying activity in a ‘low and slow’ manner, attempting a small number of passwords at infrequent intervals
• Usage of large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile and The Onion Router (TOR) addresses
• Taking advantage of misconfigurations within the targeted organization’s systems and applications
• Authentication on non-administrative accounts as well as administrator’s account
• Accessing a wide variety of email accounts
• Covering up the attack by using proxy servers
• Minimal overlap between the VPSs used for different compromised accounts

Earlier, this APT exploited a zero-day vulnerability in Citrix’s Application Delivery Controller and Gateway products to attack another unnamed organization.

Impact

• Unauthorized Remote Access
• Detection Evasion
• Security Bypass
• Network Compromise

Indicators of Compromise

Domain Name

• globalnetworkissues[.]com
• seobundlekit[.]com
• thedoccloud[.]com
• virtualwebdata[.]com
• websitetheme[.]com
• deftsecurity[.]com
• digitalcollege[.]org
• freescanonline[.]com
• kubecloud[.]com
• solartrackingsystem[.]net
• sense4baby[.]fr
• globalnetworkissues[.]com
• seobundlekit[.]com
• thedoccloud[.]com
• eyetechltd[.]com
• deftsecurity[.]com
• digitalcollege[.]org
• freescanonline[.]com
• kubecloud[.]com
• solartrackingsystem[.]net
• virtualwebdata[.]com
• megatoolkit[.]com
• websitetheme[.]com
• zupertech[.]com
• incomeupdate[.]com
• highdatabase[.]com
• onetechcompany[.]com
• databasegalore[.]com
• panhardware[.]com
• mobilnweb[.]com
• infinitysoftwares[.]com
• swipeservice[.]com
• datazr[.]com
• bigtopweb[.]com
• ervsystem[.]com
• lcomputers[.]com
• olapdatabase[.]com
• gallerycenter[.]org
• nikeoutletinc[.]org
• virtualdataserver[.]com
• techiefly[.]com
• financialmarket[.]org
• aimsecurity[.]net
• srfnetwork[.]org
• reyweb[.]com
• webcodez[.]com

Source IP

• 185[.]185[.]117[.]15
• 18[.]220[.]219[.]143
• 3[.]16[.]81[.]254
• 54[.]215[.]192[.]52
• 46[.]32[.]252[.]175
• 13[.]59[.]205[.]66
• 13[.]57[.]184[.]217
• 54[.]193[.]127[.]66
• 3[.]87[.]182[.]149
• 34[.]219[.]234[.]134
• 18[.]217[.]225[.]111
• 45[.]89[.]106[.]3
• 34[.]203[.]203[.]23
• 18[.]253[.]52[.]187
• 51[.]89[.]125[.]18
• 5[.]252[.]177[.]25
• 139[.]99[.]115[.]204
• CONFIDENTIAL 4
• 144[.]217[.]174[.]58
• 5[.]252[.]177[.]21
• 204[.]188[.]205[.]176
• 172[.]97[.]71[.]162
• 107[.]152[.]35[.]77
• 162[.]241[.]124[.]32
• 51[.]195[.]70[.]74
• 45[.]150[.]4[.]10
• 45[.]10[.]21[.]121
• 198[.]12[.]75[.]112
• 162[.]223[.]31[.]184
• 192[.]3[.]31[.]210
• 135[.]181[.]10[.]254
• 158[.]69[.]243[.]52
• 66[.]172[.]27[.]175
• 93[.]119[.]106[.]69
• 23[.]92[.]211[.]15
• 199[.]241[.]143[.]102
• 185[.]225[.]69[.]69

Remediation

• Block the threat indicators at their respective controls.
• Keep all systems and software updated to latest patched versions.
• Prioritize a vulnerability management process to patch them as soon as updates are available.
• Look for compromises within your networks and scan for IoCs.
• Enable multi-factor authentication wherever possible.