US government said that Russian state-sponsored hacking group has successfully breached US government networks. The Russian hacker group was identified as Energetic Bear. The group has been targeting numerous US state, local, territorial, and tribal government networks since February 2020. The hacker group appeared to have breached the government servers by combining VPN appliances and Windows bugs.
The Russian attackers used publicy known vulnerabilities to breach networking equipment, pivot to internal networks, elevate privileges, and steal data. The targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).
Once in, the attackers used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials. The group then used these credentials to roam through a target’s internal network. Some of the data that was exfiltrated included:
- Sensitive network configurations and passwords.
- Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
- IT instructions, such as requesting password resets.
- Vendors and purchasing information.
- Printing access badges.
https://www.zdnet.com/article/fbi-cisa-russian-hackers-breached-us-government-networks-exfiltrated-data/#ftag=RSSbaffb68
Leave a Reply
You must be logged in to post a comment.