Tension between Russia and the United States is growing due to the ongoing cyberattacks on public and private sector institutions and the U.S. government by Russian government hackers. The National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) issued a joint alert alerting about the ongoing Russian Foreign Intelligence Service (SVR) exploitation of software vulnerabilities.
The attacks have been ascribed to the Cozy Bear Advanced Persistent Threat (APT) Group – also known as APT29/The Dukes – which is connected with the SVR. The APT group is doing extensive scanning and exploitation of software flaws in vulnerable systems to obtain access to credentials that permit them to obtain more access to devices and networks for spying activities. The FBI, NSA and CISA, have given information regarding five software vulnerabilities that the SVR still successfully exploit to get access to networks and devices.
The FBI, NSA, and CISA have earlier provided mitigations that could be applied to protect against these vulnerabilities’ exploitation. Patches are accessible to resolve all software vulnerabilities. Although a lot of organizations have now patched the vulnerabilities, they might have actually been exploited and systems compromised. Steps ought to be taken to know whether systems were breached and if actions were done to offset the loss of sensitive information that can enable Russia to acquire a strategic or competitive advantage.
The SVR hackers commonly exploited the following 5 software vulnerabilities:
1. CVE-2018-13379 is identified in Fortinet FortiGate VPNs. Unauthenticated attackers will be able to obtain system files through HTTP resource requests. The affected versions include Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
2. CVE-2019-9670 is discovered in the Synacor Zimbra Collaboration Suite. It is an XML External Entity injection (XXE) vulnerability. The affected versions include 8.7.x before 8.7.11p10.
3. CVE-2019-11510 is identified in Pulse Secure VPNs. An unauthenticated remote attacker may send a specially designed Uniform Resource Identifier (URI) to carry out an arbitrary file read. The affected versions include PCS 8.2 before 8.2R12.1, 8.3 prior to 8.3R7.1, and 9.0 before 9.0R3.4.
4. CVE-2019-19781 is discovered in Citrix Application Delivery Controller and Gateway Directory. This traversal vulnerability allows an unauthenticated attacker to carry out arbitrary code The affected versions include the Citrix ADC and Gateway versions prior to 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
5. CVE-2020-4006 is identified in VMware Workspace One Access. This Command injection vulnerability permits an attacker to have a valid password to implement commands with unlimited privileges on the root operating system. The affected versions include the VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Vrealize Suite Lifecycle Manager 8.x, and VMware Cloud Foundation 4.0 – 4.1.
NSA, CISA, and FBI strongly urge all cybersecurity stakeholders to examine their networks for signs of compromise associated with all five vulnerabilities and the strategies mentioned in the alert and to urgently carry out proper mitigations,” stated in the notification.
Official Association of SolarWinds Orion Supply Chain Attack
The United States government has likewise formally charged the Russian government of organizing and running the massive SolarWinds Orion supply chain attack, which allowed the SVR to acquire access to about 18,000 computers around the world and perform more comprehensive attacks on cybersecurity organizations of the United States and its allies Malwarebytes, FireEye, Mimecast – and federal agencies in the U.S. Russia has additionally been officially incriminated of being involved in activities with the intention of troubling the U.S. presidential election in November 2020.
Sanctions Enforced on Russia by President Biden
President Biden has approved an executive order hindering property and putting new limitations on Russia’s sovereign debt to make it more difficult for the government to raise cash. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken steps against 16 entities and 16 people for their part in the campaign to affect the 2020 U.S. presidential election, under the command of the Russian government.
All property and assets of those entities and persons that are covered by U.S. jurisdiction were blocked and the entities and people were included in OFAC’s SDN list. U.S. people were forbidden from having dealings with them. Russian Technology businesses under the sanctions were Neobit, SVA, AST, Pasit, Positive Technologies, and ERA Technologies.