In a new cybersecurity advisory, three U.S. agencies say the Russian Foreign Intelligence Service (SVR) is behind the SolarWinds attack and is targeting other agencies and organizations using five other older vulnerabilities.
The group, which is also known as APT29, Cozy Bear and The Dukes, are using publicly known vulnerabilities in Fortinet, Zimbra, Pulse Secure, Citrix and VMware to scan for vulnerable systems to steal credentials for further access.
According to the joint advisory of the National Security Agency, Cybersecurity and Infrastructure Agency and FBI, the group is behind the compromise of the SolarWinds Orion platform that was disclosed in December and thought to be one of the largest cyberattacks in history.
Several U.S. agencies were victims, along with other tech and cybersecurity companies themselves.
Read Next: How SolarWinds Is Recovering and Sharing What It Has Learned Over The Last Three Months
These are the specific vulnerabilities that the SVR is allegedly exploiting to gain footholds into victim devices and networks:
- CVE-2018-13379, affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.
- CVE-2019-9670, affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.
- CVE-2019-11510, affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.
- CVE-2019-19781 Citrix, affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
- CVE-2020-4006, affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.
Security patches are available for each, but organizations that haven’t yet updated to the latest versions run the risk of being compromised.
The agencies are urging all organizations to check for indicators of compromise related to the vulnerabilities and other techniques detailed in the advisory.
The advisory comes as the U.S. sanctions the Russian government for their role in the SolarWinds hack, which included expelling 10 Russian diplomats and financial sanctions.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply