CISA, FBI and NSA Issue Cybersecurity Advisory for Cleared Defense Contractors
Last week, the Cybersecurity and Infrastructure Security Agency ("CISA"), Federal Bureau of Investigation ("FBI"), and National Security Agency ("NSA") issued a 19-page joint Alert (AA22-047A) for cleared defense contractors ("CDCs") due to "regular targeting" of CDCs by Russian state-sponsored cyber actors.
According to the Alert, the threat actors have targeted CDCs – both large and small, and subcontractors – with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the Department of Defense ("DoD") and Intelligence Community ("IC") in the following areas:
Command, control, communications, and combat systems;
Intelligence, surveillance, reconnaissance, and targeting;
Weapons and missile development;
Vehicle and aircraft design; and
Software development, data analytics, computers, and logistics.
According to the Alert, Russian state-sponsored cyber actors have targeted CDCs from at least January 2020 through February 2022. The threat actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities, including those supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.
Given the magnitude of this threat, the FBI, NSA, and CISA urge all CDCs to investigate suspicious activity – including the identified tactics, techniques, and procedures ("TTPs") – in their enterprise and cloud environments. To that end, the Alert, among other things, recommends the following:
Look for Evidence of Known TTPs
Look for behavioral evidence or network and host-based artifacts from known TTPs associated with this activity. To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for frequent, failed authentication attempts across multiple accounts.
To detect use of compromised credentials in combination with a VPS, follow the steps below:
Review logs for suspicious “impossible logins,” such as logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
Look for one IP used for multiple accounts, excluding expected logins.
Search for “impossible travel,” which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.
Evaluate processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller.
Identify suspicious privileged account use after resetting passwords or applying user account mitigations.
Review logs for unusual activity in typically dormant accounts.
Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
Further, the CISA, FBI, and NSA encourage all CDCs – regardless of whether there have been any indicators of compromise – to apply the following mitigations to reduce the risk of compromise by this threat actor (note: there are other mitigations not listed below):
Enable Multifactor Authentication
Enforce Strong, Unique Passwords
Introduce Account Lockout and Time-Based Access Features
Reduce Credential Exposure
Create a centralized log management system
If using M365, enable Unified Audit Log (UAL)
Correlate logs, including M365 logs, from network and host security devices.
Ensure PowerShell logging is turned on.
Update PowerShell instances to version 5.0 or later
Confirm PowerShell 5.0 instances have module, script block, and transcription logging enabled.
Monitor remote access/Remote Desktop Protocol (RDP) logs and disable unused remote access/RDP ports.
Consider using a centralized patch management system.
Ensure that antivirus applications are installed on all organizations’ computers and are configured to prevent spyware, adware, and malware as part of the operating system security baseline.
Keep virus definitions up to date.
Regularly monitor antivirus scans.
Utilize endpoint detection and response (EDR) tools.
Audit configuration management programs to ensure they can track and mitigate emerging threats.
Apply the principle of least privilege.
Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.
Provide end user awareness and training.
Inform employees of the risks of social engineering attacks, e.g., risks associated with posting detailed career information to social or professional networking sites.
. . .