CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.
Specifically, SVR actors are targeting and exploiting the following vulnerabilities:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
Additionally the White House has released a statement formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:
- Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
- Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
- Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
- Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST
- Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP
- Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs
- Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page
CISA strongly encourages users and administrators to review Joint CSA: Russian SVR Targets U.S. and Allied Networks for SVR tactics, techniques, and procedures, as well as mitigation strategies.