Fed Joint Advisory: Patch These 5 Vulnerabilities Under Active Attack
Nation-state threat actors with ties to Russia are actively exploiting five publicly known vulnerabilities to compromise a range of entities within the US and its allies.
By - The National Security Agency, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency, and the FBI released a joint alert, warning that nation-state threat actors from Russia are actively targeting and exploiting five publicly known vulnerabilities to compromise US networks.
The news followed the Biden Administration’s sanctions against the Russian government, which formerly attributed SolarWinds Orion supply-chain attack to the country’s foreign service: the Russian Foreign Intelligence Service (SVR) actors, also known as APT29, Cozy Bear, and The Dukes.
"The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR," according to the White House statement. "The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide."
"The scope of this compromise is a national security and public safety concern," it added. "Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident."
The hackers frequently conduct widespread scanning and leverage publicly known, unpatched flaws to steal authentication credentials, which allows for further access. The attacks target US and allied networks, including the government and national security agencies.
The provided alert sheds light on additional tactics and techniques the actors are continuing to use in their attacks, in an effort to support and encourage administrators to apply necessary measures to mitigate the risk posed by the exploits.
Under the current campaign, the threat actors are targeting: CVE-2018-13379 Fortinet FortiGate VPN, CVE-2019-9670 Synacor Zimbra Collaboration Suite, CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN, CVE-2019-19781 Citrix Application Delivery Controller and Gateway, and CVE-2020-4006 VMware Workspace ONE Access.
The FBI and CISA recently warned that threat actors were exploiting the unpatched Fortinet flaw to gain network access to a host of technology services, government agencies, and private sector entities.
The techniques used in the latest campaign include exploiting public-facing applications, external remote services, and supply chain entities, as well as utilizing valid accounts, exploiting software for credential access, and even forging web credentials.
Upon a successful exploit, the attackers use the vulnerabilities as a foothold onto the victim’s network.
“Mitigation against these vulnerabilities is critically important as US and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” officials explained.
“In addition to compromising the SolarWinds Orion software supply chain, recent SVR activities include targeting COVID-19 research facilities via WellMess malware and targeting networks through the VMware vulnerability disclosed by NSA,” they added.
In response, all cybersecurity stakeholders have been urged to check the enterprise network for indicators of compromise as it relates to the five disclosed vulnerabilities, as well as the mitigation techniques outlined in the provided advisory.
Specifically, administrators should keep systems and products updated, applying known patches as soon as possible as many threat actors exploit vulnerabilities shortly after flaws are disclosed.
For example, unsecured or misconfigured databases are targeted within eight hours of being exposed, while threat actors begin targeting new, online servers less than one minute after implementation.
Further, administrators should operate under the expectation that when an unpatched device resulted in data theft or modification, a software update or simple remediation will not alleviate the issue.
Entities should also assume a breach will occur and apply least-privileged access policies across the enterprise. Password changes and account reviews should also become routine practice.
External management capabilities should be disabled, and administrators should set up an out-of-band management network and block obsolete or unused protocols at the network edge.
“Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network,” officials recommended. “Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.”
“Adopt a mindset that compromise happens: prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating,” they concluded.
Entities should also review the technical and mitigation details provided within each CVE disclosure to ensure they’ve fully understood the risks and needed security measures to remediate the threats posed by these vulnerabilities.
