The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) jointly released a Cybersecurity Advisory, warning that Russian APT operators are exploiting five known and already patched vulnerabilities incorporate VPN infrastructure products, insisting it is “critically important” to mitigate these issues immediately.
The warning was issued to call attention to a quintet of CVEs that are being actively exploited by a threat actor affiliated with Russia’s foreign intelligence service (SVR).
Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems to obtain authentication credentials to allow further access.
This targeting and exploitation encompass U.S. and allied networks, including national security and government-related systems.
Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse.
SVR cyber actors also used authentication abuse tactics following SolarWinds-based breaches.
Mitigation against these vulnerabilities is critically important as the U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors.
Five Vulnerabilities that need Immediate Attention
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
The NSA’s decision to pinpoint the five old security flaws suggests that many organizations are slow to apply the available fixes, especially during the pandemic when work-from-home expanded the need for VPN technologies.
NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and to immediately implement associated mitigations.
NSA, CISA, and FBI also recognize all partners in the private and public sectors for comprehensive and collaborative efforts to respond to recent Russian activity in cyberspace.