forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcisa_aa23_347a.yml
29 lines (29 loc) · 2.12 KB
/
cisa_aa23_347a.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
name: CISA AA23-347A
date: '2023-12-14'
author: Teoderick Contreras, Rod Soto, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise,
they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.
narrative: SVR cyber operations pose a persistent threat to public and private organizations' networks globally.
Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks
to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term
targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that
for Russia encompasses information on the politics, economics, and military of foreign states; science and technology;
and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations.
The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies.
By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially
compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's
ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its
acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
tags:
category:
- Data Destruction
- Malware
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection