The National Security Agency (NSA), in conjunction with the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a cybersecurity alert listing five vulnerabilities that are currently being exploited by the Russian Foreign Intelligence Service (SVR) to compromise U.S. and allied networks.
The SVR has and continues to exploit software vulnerabilities to gain access to victims’ devices and networks. SVR actors – aka Cozy Bear, APT 29, and The Dukes – are conducting widespread scans to identify systems that have not been patched against known vulnerabilities to obtain credentials to gain persistent access to networks for further attacks.
The five known vulnerabilities being exploited are:
- CVE-2018-13379 – Fortinet FortiGate VPN
- CVE-2019-9670 – Synacor Zimbra Collaboration Suite
- CVE-2019-11510 – Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 – Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 – VMware Workspace ONE Access
Patches to correct the vulnerabilities have been available in most cases for many months but have yet to be applied at many organizations, which leaves devices vulnerable to attack. The NSA, CISA, and the FBI are strongly encouraging all public and private sector organizations to ensure that patches are applied to fix the vulnerabilities and the associated mitigations are implemented. Investigations should also be conducted for indicators of compromise related to the vulnerabilities as networks may already have been compromised.
The alert coincides with the U.S. government’s formal attribution of the SolarWinds Orion software supply chain attack to the SVR. The SVR is also engaged in cyberattacks on COVID-19 research firms, which have been compromised through the VMWare vulnerability – CVE-2020-4006 – in attacks involving WellMess malware.
President Biden has also announced sanctions against several Russian technology companies for assisting the SVR and other Russian agencies to perform cyberattacks in the United States, including ERA Technopolis, Pasit, SVA, Neobit, AST, and Positive Technologies. The sanctions prevent U.S. companies from doing business with any of the firms without first obtaining a license from OFAC.