Russia-linked APT SVR actively targets these 5 flaws

The US government warned that Russian cyber espionage group SVR is exploiting five known vulnerabilities in enterprise infrastructure products.

The U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have published a joint advisory that warns that Russia-linked APT group SVR (aka APT29, Cozy Bear, and The Dukes). is exploiting five vulnerabilities in attacks against U.S. targets.

Cyberspies leverages these flaws to obtain login credentials and use them to break into networks of US organizations and government agencies.

The vulnerabilities listed in the advisory are:

CVE-2018-13379 Fortinet
CVE-2019-9670 Zimbra
CVE-2019-11510 Pulse Secure
CVE-2019-19781 Citrix
CVE-2020-4006 VMware

“The vulnerabilities in today’s release are part of the SVR’s toolkit to target networks across the government and private sectors,” Rob Joyce, NSA Director of Cybersecurity. “We need to make SVR’s job harder by taking them away.”

The above vulnerabilities are all old issues that were already addressed by the vendors, but evidently many organizations have yet to address them in their networks that are exposed to attacks conducted by both nation-state actors and cybercrime organizations.

“Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. This targeting and exploitation encompasses U.S. and allied networks, including national security and government-related systems.” reads the advisory. “The SVR has exploited—and continues to successfully exploit—software vulnerabilities to gain initial footholds into victim devices and networks”

The advisory urges the adoption of mitigation against the above vulnerabilities that constantly probed and exploited by Russian state-sponsored cyber actors in attacks aimed at the U.S. and allied networks.

In the same hours, the U.S. government formally attributed with “high confidence” the SolarWinds supply chain attack to Russia’s Foreign Intelligence Service (SVR).

The Biden administration announced the US government is expelling 10 Russian diplomats and imposing sanctions against technology firms and people linked to Russian intelligence that attempted to interfere in last year’s presidential election and for conducting cyberattacks against federal agencies.

The sanctions against Russia have been imposed for:

undermining the conduct of free and fair elections and democratic institutions in the United States and its allies and partners;
engaging in and facilitating malicious cyber activities against the United States and its allies and partners that threaten the free flow of information;
fostering and using transnational corruption to influence foreign governments;
pursuing extraterritorial activities targeting dissidents or journalists;
undermining security in countries and regions important to the United States’ national security; and violating well-established principles of international law, including respect for the territorial integrity of states.

“NSA, CISA, and FBI are aware that United States Government, critical infrastructure (including Defense Industrial Base), and allied networks are consistently scanned, targeted, and exploited by Russian state-sponsored cyber actors. NSA, CISA, and FBI recommend that critical system owners prioritize the following mitigation actions to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, ongoing operations, and competitive advantage.” concludes the advisory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.