- The group, Energetic Bear, has been targeting dozens of US state, local, territorial, and tribal (SLTT) government networks since at least February 2020.
- Companies in the aviation industry were also targeted, CISA and FBI said.
- Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).
- To move laterally across compromised networks, CISA and the FBI said the Russian hackers used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials.
– Catalin Cimpanu | October 22, 2020