The National Security Agency (NSA) has listed five known vulnerabilities that Russia’s SVR is currently targeting. Although there are patches for all of the vulnerabilities, there are plenty of targets for SVR operatives to exploit. Although the warning has come from the NSA, the affected products are sold globally, making their exploitation more than just a US issue.
In its advisory, the NSA wrote: “Mitigation against these vulnerabilities is critically important as US and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors.” It continued: “NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations.”
What is the NSA warning about?
There are five items on the NSA warning list. They are:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
Each of the vendors has already issued patches for the vulnerabilities. However, despite many of those patches being over a year old, there are many unpatched installations. These are all vulnerable to attack.
The NSA is concerned that the SVR will use these vulnerabilities to gain access to organisations networks. What is not clear is what actions it is seeing the SVR take when it does compromise an organisation? Is it installing web shells to gain a presence on the devices? Is it moving laterally across infected networks? What risk is there to the software supply chain involving the victims of these attacks?
Seven things the NSA is advising companies to do
The NSA has produced an infographic giving seven actions that companies can take to protect themselves. They are:
- Update systems and products as soon as possible after patches are released.
- Assume a breach will happen; review accounts and leverage the latest eviction guidance available.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in client device configurations.
- Reduce exposure of the local network by separating internet-facing services
- Enable robust logging of internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly in cloud environments.
- Adopt a mindset that compromise happens: Prepare for incident response activities.
All of these are standard best practice. Organisations that are not already taking these steps need to review how they secure their enterprises and make changes accordingly.
According to Chris Hallenbeck, Regional CISO of Americas at Tanium: “Notably those 5 vulnerabilities were announced in 2018, 2019, and 2020. That means organizations are failing to address vulnerabilities that are upwards of three years old, which considerably increases the likelihood of a damaging breach occurring.”
Enterprise Times: What does this mean?
Once again, we are talking about vulnerabilities that have been around for years and are still unpatched. Unfortunately, many organisations have this sort of issue across their IT estate. In some cases, it is because the products are no longer in use but have not been uninstalled. In other cases, it is because their patch management processes are poor. Leaving vulnerabilities in place invites organisations like the SVR to create exploits and penetrate networks. That this is happening here is unsurprising.
Natalie Page, Threat Intelligence Analyst at Talion, said: “This combined alert from 3 major intelligence service’s has emerged following the United States attribution of the Russian Foreign Intelligence Service (SVR), also known as APT29, Cozy Bear, and The Dukes, to both the SolarWinds attack and espionage campaigns targeting COVID-19 research in the US and UK.
“We have already witnessed Iranian threat groups Pioneer Kitten & UNC757 weaponising two of the exploits last year. Patch management and following the mitigations recommendations set out in the alert from the NSA, FBI and CISA is paramount for organisations looking to protect and detect this threat.”
The big question now is, how dangerous are these attacks? As we don’t know how the SVR is leveraging these vulnerabilities, the scale of the risk is unknown. If the NSA, FBI or other US agency sees an increase in threats that pose a wider problem, what happens next? Is there a way to make companies patch their systems? Will we see the FBI seek another warrant to remove malicious code?
This last month has seen a new phase of action from US agencies when it comes to cybersecurity. What will they do next?