Pierluigi Paganini April 16, 2021

The US government warned that Russian cyber espionage group SVR is exploiting five known vulnerabilities in enterprise infrastructure products.

The U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have published a joint advisory that warns that Russia-linked APT group SVR  (aka APT29, Cozy Bear, and The Dukes). is exploiting five vulnerabilities in attacks against U.S. targets.

Cyberspies leverages these flaws to obtain login credentials and use them to break into networks of US organizations and government agencies.

The vulnerabilities listed in the advisory are:

• CVE-2018-13379 Fortinet
• CVE-2019-9670 Zimbra
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2020-4006 VMware

“The vulnerabilities in today’s release are part of the SVR’s toolkit to target networks across the government and private sectors,” Rob Joyce, NSA Director of Cybersecurity. “We need to make SVR’s job harder by taking them away.”

The above vulnerabilities are all old issues that were already addressed by the vendors, but evidently many organizations have yet to address them in their networks that are exposed to attacks conducted by both nation-state actors and cybercrime organizations.

“Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. This targeting and exploitation encompasses U.S. and allied networks, including national security and government-related systems.” reads the advisory. “The SVR has exploited—and continues to successfully exploit—software vulnerabilities to gain initial footholds into victim devices and networks”

The advisory urges the adoption of mitigation against the above vulnerabilities that constantly probed and exploited by Russian state-sponsored cyber actors in attacks aimed at the U.S. and allied networks.

In the same hours, the U.S. government formally attributed with “high confidence” the SolarWinds supply chain attack to Russia’s Foreign Intelligence Service (SVR).

The Biden administration announced the US government is expelling 10 Russian diplomats and imposing sanctions against technology firms and people linked to Russian intelligence that attempted to interfere in last year’s presidential election and for conducting cyberattacks against federal agencies.

The sanctions against Russia have been imposed for:

• undermining the conduct of free and fair elections and democratic institutions in the United States and its allies and partners;
• engaging in and facilitating malicious cyber activities against the United States and its allies and partners that threaten the free flow of information;
• fostering and using transnational corruption to influence foreign governments;
• pursuing extraterritorial activities targeting dissidents or journalists;
• undermining security in countries and regions important to the United States’ national security; and violating well-established principles of international law, including respect for the territorial integrity of states.

“NSA, CISA, and FBI are aware that United States Government, critical infrastructure (including Defense Industrial Base), and allied networks are consistently scanned, targeted, and exploited by Russian state-sponsored cyber actors. NSA, CISA, and FBI recommend that critical system owners prioritize the following mitigation actions to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, ongoing operations, and competitive advantage.” concludes the advisory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]