By Anand Vasu
The Federal Bureau of Investigation warned on April 16 that actors of the Russian Foreign Intelligence Service (SVR) were exploiting five known vulnerabilities.
The vulnerabilities listed by the FBI were:
CVE-2018-13379 Fortinet FortiGate VPN
CVE-2019-9670 Synacor Zimbra Collaboration Suite
CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
CVE-2019-19781 Citrix Application Delivery Controller and Gateway
CVE-2020-4006 VMware Workspace ONE Access
The FBI said that the actors, also known as APT29, Cozy Bear, and The Dukes, frequently conducted widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.
“NSA, CISA, and FBI are aware that United States Government, critical infrastructure (including Defense Industrial Base), and allied networks are consistently scanned, targeted, and exploited by Russian state-sponsored cyber actors,” the latest report of the US Department of Defense, said.
The release also formally named Russian actors in the SolarWinds attack. In 2020 a massive cyberattack — one of the largest of its kind — targeted the US government, its agencies and several other private companies.
More recently, SVR’s activities included targeting COVID-19 research facilities via WellMess malware, and targeting networks through the VMware vulnerability disclosed by NSA.
The Department of Defense advocated taking the following measures to mitigate the risk posed by Russian actors:
- Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.
- Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in device configurations.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.
- Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.
- Adopt a mindset that compromise happens: prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating.
US law enforcement has warned of the threat Russian cyber criminals posed for some time now.