The US attributed a number of malicious activities to the Russian Foreign Intelligence Service

The United States’ National Security Agency  (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) jointly issued a common Cybersecurity Advisory directly attributing the exploitation of multiple vulnerabilities for conducting attacks against US targets and allied networks to the Russian Foreign Intelligence Service (SVR).

In the report, the agencies stated that

• supply chain attack on SolarWinds software and subsequent malicious activities associated with vulnerabilities in this software,
• WellMess malware attacks on COVID-19 labs, and
• exploits of zero-day vulnerabilities in VMware

were directly executed by a group, also known as APT29, Cozy Bear or the Dukes, belonging to the SVR. This group often exploits known vulnerabilities in an effort to infiltrate systems and obtain authentication credentials to allow further access. The attacks target American and allied networks, including national security and government-related systems.

Known vulnerabilities that the SVR exploits include:

• CVE-2018-13379 in the product Fortinet FortiGate VPN
• CVE-2019-9670 in the product Synacor Zimbra Collaboration Suite
• CVE-2019-11510 in the product Pulse Secure Pulse Connect Secure VPN
• CVE-2019-19781 in the product Citrix Application Delivery Controller and Gateway
• CVE-2020-4006 in the product VMware Workspace ONE Access

The Cybersecurity Advisory also contains actions to be taken in order to mitigate the exploitation of these vulnerabilities. NSA, CISA and FBI jointly recommend that government organisations, critical infrastructure entities and allied agencies verify the presence of mentioned vulnerabilities and then apply updates as soon as possible. They have also issued a number of general recommendations to mitigate the risk of cybersecurity incidents.

« Späť na zoznam