The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called Russian SVR Targets U.S. and Allied Networks, to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories’ executive summary reads:
Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.
Remarkable mentions in the cybersecurity advisory
Released alongside the advisory is the US Government’s formal attribution of the SolarWinds supply chain compromise, and the cyber espionage campaign related to it, to Russia.
Mentioned are recent SVR activities that include targeting COVID-19 research facilities via WellMess malware and targeting networks through a VMware vulnerability disclosed by NSA.
Vulnerabilities
NSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).
The advisory lists the following CVEs:
- CVE-2018-13379 as discussed here: Fortinet FortiGate VPN
- CVE-2019-9670 as discussed here: Synacor Zimbra Collaboration Suite
- CVE-2019-11510 as discussed here: Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 as discussed here: Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 as discussed here: VMware Workspace ONE Access
We have added a link to the vendor’s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.
General mitigation strategy
While some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:
- Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.
- Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in device configurations.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.
- Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.
- Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating.
Techniques
The techniques leveraged by SVR actors include:
- Exploiting public-facing applications. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.
- Leveraging external remote services. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.
- Compromising supply chains. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
- Using valid accounts. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.
- Exploiting software for credential access. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
- Forging web credentials: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
The items listed under mitigations and techniques probably won’t be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.
Stay safe, everyone!
