NCSC issues fresh alert over wave of Cozy Bear activity

The UK’s National Cyber Security Centre (NCSC) and its American partner agencies, the National Security Agency (NSA) and the FBI, have today published another alert highlighting the ongoing exploitation of vulnerabilities, at scale, by threat actors linked to the Russian state.

The latest advisory warns organisations at risk of being targeted by Moscow’s Foreign Intelligence Service, the SVR, to rapidly deploy patches and prioritise software updates as soon as they become available.

The SVR is one of a number of Russian agencies suspected of providing tasking to the group known as APT29, or more fancifully, Cozy Bear. Cozy Bear was behind the Solorigate/Sunburst incident affecting SolarWinds customers, and the 2016 hack of the US Democratic National Committee, among many other things.

“Russian cyber actors are interested in and highly capable of accessing unpatched systems across a range of sectors, and once they are in, they can exploit this access to meet their objectives,” said NCSC operations director Paul Chichester. 

“All organisations are encouraged to bolster their cyber defences: take heed of the advice set out within the advisory and prioritise the deployment of patches and software updates,” he added.

The agencies highlighted some of the latest tactics being used to collect foreign intelligence by Cozy Bear, which of late specialises in targeting government and diplomatic bodies, think tanks, tech companies and financial institutions.

It is known to scan internet-facing systems to find unpatched vulnerabilities at scale to opportunistically exploit them in hope of further compromises down the line.

As such, any organisation in any sector – not just those at particular risk of targeted espionage – may find themselves in hot water as Cozy Bear takes advantage of their vulnerable systems to host malicious infrastructure, run follow-on operations from compromised accounts, or pivot to other networks.

This was most famously seen in the Sunburst incident, where SolarWinds unknowingly provided the stepping stone to US government networks.

The advisory documents Cozy Bear’s ongoing use of multiple publicly disclosed vulnerabilities in a diverse range of suppliers’ products in the service of its intrusions.

Some of these issues date back well over five years and all have been disclosed and patched. Collectively, they enable a wide range of attack scenarios.

Of particular note lately are two issues assigned designations CVE-2022-27924 and CVE-2023-42793.

The first of these is a command injection vulnerability in Zimbra that enables an unauthenticated user to inject arbitrary commands into a targeted instance, causing an overwrite of arbitrary cached entries. Cozy Bear has exploited it at scale in hundreds of domains worldwide and used it to access user credentials and mailboxes without having to interact with its victims.

The second is an arbitrary code execution flaw in JetBrains TeamCity that arises through the insecure handling to specific paths allowing for authentication bypass.

The partners said that based on Cozy Bear’s known tactics, techniques and procedures (TTPs) and its previous targeting, the operation has both the capability and the interest in exploiting additional CVEs for initial access, remote code execution and privilege escalation.