Security news that informs and inspires

Russian APT Group Actively Exploiting Flaws, U.S. Agencies Warn

By

The U.S. federal agency advisory on the active exploits of five flaws comes in tandem with the U.S. government formally attributing the SolarWinds supply-chain attack to Russian Foreign Intelligence Service (SVR) actors.

U.S. government agencies are warning that Russian Foreign Intelligence Service (SVR) actors are exploiting five previously-disclosed vulnerabilities in active attacks against U.S. organizations and national security systems.

The advisory, released jointly by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), comes in tandem with the U.S. government on Thursday formally attributing the SolarWinds supply-chain attack to Russian SVR actors with “high confidence” and issuing sanctions against Russia. The advisory urged companies to apply patches, which are available for the five flaws, as they are being continually exploited by the threat actors in order to gain an initial foothold into victim devices and networks.

Attackers “frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,” according to the joint release. “This targeting and exploitation encompasses U.S. and allied networks, including national security and government-related systems.”

The five flaws, all previously disclosed, include a path traversal vulnerability in the Fortinet FortiGate VPN (CVE-2018-13379) that could allow an unauthenticated attacker to download FortiOS system files through specially-crafted HTTP resource requests, and a critical arbitrary file disclosure vulnerability in the Pulse Secure Pulse Connect Secure VPN (CVE-2019-11510) that can be exploited by unauthenticated, remote attackers.

Attackers are also targeting a flaw in the Citrix Application Delivery Controller and Gateway (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution, a critical command injection flaw in VMware Workspace ONE Access (CVE-2020-4006) and an XML External Entity injection vulnerability in the Synacor Zimbra Collaboration Suite (CVE-2019-9670).

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the release.

SVR, also known as APT29, Cozy Bear, and The Dukes, is a threat group that has been attributed to the Russian government and has operated since at least 2008. In a separate release, the UK also said “it is highly likely” that the SVR carried out the SolarWinds attack, though the overall impact on the UK of the SVR’s exploitation of this software is low.

In addition to compromising SolarWinds Orion software updates, the advisory said that SVR activities have also included targeting COVID-19 research facilities (as seen in previously-reported campaigns) using the WellMess malware, which is a trojan written in either Golang or .NET that has been in use by SVR since at least 2018.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations."

The advisory exposed various TTPs that the actors have leveraged: SVG has previously exploited public-facing applications, relied on external remote services, compromised supply chains, utilized valid accounts, exploited software for credential access and forged web credentials, it said. To mitigate against these attacks, the agencies recommend that organizations keep their systems updated and “patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.”

In addition, organizations should also enforce least-privileged access and normalize making password changes and account reviews. They should also disable external management capabilities and set up an out-of-band management network, according to the advisory.

Fallout continues from the compromise of the sprawling SolarWinds supply-chain attack, which hit Microsoft, FireEye and several U.S. government agencies, including the U.S. Department of Homeland Security (DHS) and the Treasury and Commerce departments. The attackers leveraged SolarWinds’ Orion network management platform in order to infect victims with a backdoor, which they then used for lateral movement to other networks. This backdoor was initially pushed out in trojanized product updates, to nearly 18,000 companies worldwide starting last spring.

In a Wednesday U.S. Senate Intelligence Committee hearing on worldwide threat trends, senators pointed to the SolarWinds attacks as evidence of the need for “new international norms” to prohibit certain attacks; as well as a better ability by the U.S. government to sniff out sophisticated attacks before they occur.

“The SolarWinds hack offered a stark reminder that… there is no requirement to report breaches of critical infrastructure - if FireEye, for example, had not come forward, we might still be in the dark today,” said Sen. Mark Warner, D-Va., the chairman of the Intelligence Committee.