On Thursday, April 15th, the United States National Security Agency (N.S.A.), Federal Bureau of Investigation (F.B.I.), and Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement outlining evidence of cyber-attacks being carried out by the Russian Foreign Intelligence Service (which is known by the acronym S.V.R.). The full text of the federal cybersecurity advisory is available here and outlines that Russian Foreign Intelligence Service (S.V.R.) actors known as APT29, Cozy Bear, and The Dukes have been implicated in cyberattacks against five previously unknown vulnerabilities:
The advisory connects these most recent cyberattacks with the SolarWinds® Orion® software update incident, which targeted COVID-19 research facilities by deploying the WellMess malware and leveraging a VMware® zero-day vulnerability for the Security Assertion Markup Language (SAML) authentication manipulation. The government specifies that similar authentication abuses occurred during the SolarWinds® data breach from earlier this year.
Recommended Mitigation Procedures to Counter this Cyber Threat Event
Due to the scope and complexity of this current cyber threat event, the N.S.A., CISA, and F.B.I. recommend immediate actions to mitigate the impact of these attacks. Failure to mitigate these issues poses unique cybersecurity challenges that elevate national security issues because sensitive data related to U.S. policies, strategies, plans, ongoing operations, and competitive advantages are exposed. The specific techniques utilized in this current threat event include:
- Exploiting public-facing applications (T11902)
- Leveraging external remote services (T1133)
- Compromising supply chains (T1195)
- Using valid accounts (T1078)
- Exploiting software for credential access (T1212)
- Forging web credentials: SAML tokens (T1606.002)
The following list of Common Vulnerabilities and Exposures (C.V.E.s) list highlights the specific threat vectors being utilized by Russian Intelligence Service state actors: CVE-2018-1337: In Fortinet Secure Sockets Layer (SSL) Virtual Private Network (VPN) web portals, an Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. Advisory: APT29 target COVID-19 vaccine development (U/OO/152680-20) Mitigating Recent VPN Vulnerabilities (U/OO/196888-19) Affects: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 CVE-2019-9670: In Synacor Zimbra Collaboration Suite, the mailbox component has an XML External Entity injection (X.X.E.) vulnerability. Advisory: APT29 target COVID-19 vaccine development (U/OO/152680-20) CVE-2019-11510: In Pulse Secure VPNs, an unauthenticated, remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. Advisory: APT29 target COVID-19 vaccine development (U/OO/152680-20) Mitigating Recent VPN Vulnerabilities (U/OO/196888-19) Affects: Pulse Connect Secure (P.C.S.) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. CVE-2019-19781: Citrix® Application Delivery Controller (A.D.C.) and Gateway allow directory traversal. Advisory: APT29 target COVID-19 vaccine development (U/OO/152680-20) Detect and Prevent Web Shell Malware (U/OO/134094-20) Mitigate CVE-2019-19781 (U/OO/103100-20) Affects: Citrix A.D.C. and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b. CVE-2020-4006: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector have a command injection vulnerability. Advisory: Russian State-Sponsored Actors Exploiting Vulnerability in VMware Workspace O.N.E. Access Using Compromised Credentials (U/OO/195076-20) Perform Out-of-Band Network Management (U/OO/169570-20) Affects: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 - 3.3.3 on Linux, V.M. The F.B.I. has shared a detailed infographic outlining this current cyber threat with recommendations about countering it. They recommend the following steps to act against this threat:
- Update systems and products as soon as possible after patches are released.
- Assume a breach will happen; review accounts and leverage the latest eviction guidance available.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in client device configurations.
- Reduce exposure of the local network by separating internet-facing services into a small, isolated network.
- Enable robust logging of internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly in cloud environments.
- Adopt a mindset that compromise happens: Prepare for incident response activities.
Develop a Nimbler Cyber Threat Response Protocol with a Trusted Cybersecurity Partner
When it comes to cybersecurity, smaller I.T. teams have the most challenging job out there. That's because you have to take care of everything I.T.-related - in addition to managing security. All too often, there is no one on your team that is dedicated to security, and even if there is, the bad guys don't keep bankers' hours, and your security person can't work 24/7. The choice seems to be — go it alone — or try and get the budget for more cybersecurity tools. Not anymore! Gradient is a powerful combination of proprietary technology and security experts that use our Cognitive Library to generate A.I.-driven cybersecurity assessments. As your cybersecurity partner, Gradient makes the job of managing security much easier for your small-scale I.T. team without breaking the bank.
Learn more out how we can help your organization develop a nimbler cyber threat response protocol.
