The Russian Foreign Intelligence Service, also known as SVR, has been exploiting five known vulnerabilities in multiple infrastructure products as part of its cyberespionage activities. The FBI, CISA, and NSA have published a joint advisory warning about ongoing attacks against U.S. targets. The vulnerabilities exist in Fortinet, Zimbra, Pulse Secure, Citrix, and VMware products.
What has happened?
The advisory disclosed that the Russia-based cyberespionage group is exploiting five flaws to obtain login credentials. Further, it was using these credentials to break into networks of organizations and government agencies.
- The vulnerabilities listed in the advisory include CVE-2018-13379 (Fortinet), CVE-2019-9670 (Zimbra), CVE-2019-11510 (Pulse Secure), CVE-2019-19781 (Citrix), and CVE-2020-4006 (VMware).
- The exploited vulnerabilities are old and have already been addressed by their respective vendors. However, many organizations are yet to patch them in their networks, exposing them to attacks.
- According to the advisory, the U.S. government agencies, critical infrastructure, and allied networks are being regularly scanned, exploited, and targeted by Russia-based cyber actors.
The techniques used by attackers
The advisory included details about the multiple techniques employed by the threat actor in its ongoing attacks:
- The attackers have used multiple techniques, such as exploitation of public-facing applications (T11902), external remote services (T1133), and supply chains (T1195).
- In addition, they leveraged valid accounts (T1078), abused software for credential access (T1212), and forged web credentials: SAML tokens (T1606.002).
The advisory recommends quick mitigation against all the exploited vulnerabilities constantly being utilized by Russian state-sponsored threat actors in their attacks. In addition, it is always recommended that organizations have a robust patch management system to apply important patches as soon as they are released.