TTCSIRT-393.04.27.21 TTCSIRT ADVISORY- NSA-CISA-FBI JOINT ADVISORY ON RUSSIAN SVR TARGETING U.S. AND ALLIED NETWORKS
The Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) of the United States have released a Joint Cybersecurity Advisory (CSA) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.
Specifically, SVR actors are targeting and exploiting the following vulnerabilities:
Additionally the White House has released a statement formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:
- Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
- Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
- Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
- Malware Analysis Report AR21-039A: MAR-10318845-1.v1 – SUNBURST
- Malware Analysis Report AR21-039B: MAR-10320115-1.v1 – TEARDROP
- Table: SolarWinds and Active Directory/M365 Compromise – Detecting APT Activity from Known TTPs
- Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page
- Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
The Trinidad and Tobago Cybersecurity Incident Response Team (TTCSIRT) strongly encourages users and administrators to review Joint CSA: Russian SVR Targets U.S. and Allied Networks for SVR tactics, techniques, and procedures, as well as mitigation strategies.
For further insight on this advisory kindly follow the link below: