The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) jointly released a Cybersecurity Advisory, “Russian SVR Targets U.S. and Allied Networks,” to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. This advisory is being released alongside the U.S. government’s formal attribution of the SolarWinds supply chain compromise and related cyber espionage campaign. We are publishing this product to highlight additional tactics, techniques, and procedures being used by SVR so that network defenders can take action to mitigate against them.
Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors. In addition to compromising the SolarWinds Orion software supply chain, recent SVR activities include targeting COVID-19 research facilities via WellMess malware and targeting networks through the VMware vulnerability disclosed by NSA. This was highlighted in NSA’s Cybersecurity Advisory, “Russian State-Sponsored Actors Exploiting Vulnerability in Workspace ONE Access Using Compromised Credentials.”
NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations. NSA, CISA, and FBI also recognize all partners in the private and public sectors for comprehensive and collaborative efforts to respond to recent Russian activity in cyberspace.
Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, explains, "Vulnerabilities in two VPN systems, two virtualization platforms, and one collaboration solution seem to be a mighty combo. Four of them are 12 months or older, which is not a good sign for the overall cyber hygiene in the US, given that all are either rated as severe or even critical in NIST's NVD. It looks like that adversaries can rely on the lack of diligence related to essential cyber security control, even more so in pandemic times. Which is weird, because NIST's own guidelines are - if implemented - making it even easier to protect a given infrastructure from known issues. Vulnerability Management, Integrity Monitoring, System Hardening and Change Control are the elements needed in the tool chain to achieve NIST compliance (or others"
If publicly known, patchable exploits still have gas in the tank this is just an indictment against the status quo disconnect between many organization’s understanding of risk and basic IT hygiene, says Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers. "The unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage. This underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur – their imperative is to detect, respond, and recover from those events to expel adversaries before material damage is realized."
"Impacts on Russian cyber activity will likely be minimal if history repeats itself. The United States posed sanctions on Russia as a result of the assessed 2016 election interference,. As we are still having this conversation, the sanctions likely did not significantly impact Russian advanced persistent threat (APT) operations," says Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions: Although the unilateral response implied through joint statements from US intelligence and Five Eyes (FVEY) countries sends a strong message on the geopolitical stage, a more internationally unified approach to cyber defense has the best potential to help foil future malicious nation-state activity, as displayed in the SolarWinds incident.
NSA encourages its customers to mitigate against the following publicly known vulnerabilities:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
For more information, review the advisory or visit NSA.gov/cybersecurity-guidance.
View the infographic on understanding the threat and how to take action.