Energetic Bear ! Strikes US
Share this:
The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks , said by advisory of CISA & FBI
Intruders identified as Russian hacker group, Energetic Bear a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.
The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”
Networking Gear has been the target of attack
Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.
Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).
To move laterally across compromised networks, they used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials.
Below are some of the details that are compromised and ex-filtrated by the group
- Sensitive network configurations and passwords.
- Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
- IT instructions, such as requesting password resets.
- Vendors and purchasing information.
- Printing access badges.
This recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. But nothing known to be till now.
