As promised in President Biden’s executive order today that sanctions the Russian government for the SolarWinds Orion cyberattack and other transgressions, U.S. intelligence and law enforcement agencies published a list of five active Russian Foreign Intelligence Service cyberattack vectors that they say need network operators to defend against urgently.
The joint advisory from the National Security Agency (NSA), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) exposes “ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities,” the agencies said.
“In addition to compromising the SolarWinds Orion software supply chain, recent SVR activities include targeting COVID-19 research facilities via WellMess malware and targeting networks through the VMware vulnerability disclosed by NSA,” they said.
“We are publishing this product to highlight additional tactics, techniques, and procedures being used by SVR so that network defenders can take action to mitigate against them,” the U.S. authorities said.
They left little doubt that quick action is necessary to protect against those attack vectors. “Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” NSA, CISA, and FBI said.
“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” the agencies said.
The vulnerabilities flagged by the agencies are:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
Chris Hallenbeck, CISO of Americas at cybersecurity and systems management provider Tanium, told MeriTalk today that the White House’s fingering of the Russian government in the executive order was not a surprise, and that the administration’s actions should serve as a wake-up call for lingering security problems.
“The scale and audacity of the breach made it almost certain that it was state-sponsored, and the attribution by government intelligence, law enforcement, and cyber protection agencies points the finger squarely at one country,” Hallenbeck said.
“Sanctions alone are unlikely to bring brazen hacking to an end,” the Tanium official continued. “It is up to companies and organizations to improve their cyber hygiene to make such intrusions less frequent and less impactful when they do occur.”
“Today, the National Security Agency released guidance outlining 5 vulnerabilities being exploited by who the NSA attributes as being Russian hackers,” he said. “Notably those 5 vulnerabilities were announced in 2018, 2019, and 2020. That means organizations are failing to address vulnerabilities that are upwards of three years old, which considerably increases the likelihood of a damaging breach occurring.”