In December 2020, FireEye, a US cybersecurity firm, discovered a highly sophisticated, APT (Advanced Persistent Threat) attack that leveraged the IT monitoring tool – Orion – made by SolarWinds to further compromise the computer systems of dozens of businesses and government departments, including Microsoft and the US Department of Homeland Security. It was the largest, most far-reaching supply chain attack that seemed to be meticulously mapped out and executed.
Although all fingers had already been pointing towards Russia, on April 15, 2020, the White House officially disclosed that the culprit behind the massive cyber exploit was APT29 or CozyBear — a hacking group backed by the Russian Foreign Intelligence Service SVR. In the wake of the massive SolarWinds attack and various other cybersecurity attacks, the NSA, CISA, and FBI have highlighted the top five, publicly known vulnerabilities that are part of the Russian SVR’s toolkit to carry out data theft or simply cause disruption in the US government organizations and businesses.
The earlier the network defenders across organizations patch the known, vulnerable devices, the harder it will be for the nation-state actors to launch cyberattacks of such tremendous volume. Here are the vulnerabilities pointed out in the recent Cybersecurity Advisory:
1. CVE-2018-13379 – Fortinet FortiOS
This vulnerability is found in some Fortinet FortiOS versions — 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12.
It permits unauthorized users to download system files through special HTTP resource requests. The software update for patching this vulnerability has been around since 2019.
2. CVE-2019-9670 – Synacor Zimbra Collaboration Suite
This vulnerability impacts the mailboxd component of the Synacor Zimbra Collaboration Suite versions 8.7.x before 8.7.11p10.
It is an XML External Entity injection (XXE) vulnerability that allows remote attackers to execute arbitrary code on behalf of the user running the vulnerable application. The solution for this is to simply upgrade to version 7.7.11p10 or later.
3. CVE-2019-11510 – Pulse Connect Secure VPNs
This vulnerability targets some Pulse Secure VPNs – 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.
It allows unauthenticated bad actors to remotely access and read files containing usernames and plaintext passwords by sending a specific Uniform Resource Identifier (URI). The patch for this vulnerability was issued back in April 2019.
4. CVE-2019-19781 – Citrix Application Delivery Controller and Gateway
This critical vulnerability targets some Citrix ADC and Gateway versions before 184.108.40.206 — 220.127.116.11, 18.104.22.168, 22.214.171.124, and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
The directory traversal vulnerability allows unauthenticated actors to remotely execute malicious code or view, change or delete data, depending on the privileges associated with the user of the exploited application. Citrix made available permanent fixes in January 2020 to mitigate the vulnerabilities.
5. CVE-2020-4006 – VMware Workspace ONE Access
This vulnerability is present in VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware realize Suite Lifecycle Manager 8.x.
It is a command injection vulnerability that has previously been exploited by Russian state-sponsored hackers to exfiltrate data or remotely execute commands by deploying web shells on vulnerable servers. VMware issued a full patch for this vulnerability in December 2020.
Considering the Russian activity in the U.S. cyberspace, NSA has rightly urged all network defenders and cybersecurity stakeholders to patch these publicly known vulnerabilities and check their networks for indicators of a breach to launch an incident response accordingly.