Russia is exploiting these five publicly known vulnerabilities to target the US and Allies
Check your networks for indicators of compromise related to all five vulnerabilities
The failure to patch critical software vulnerabilities continues to leave a door wide open for foreign intelligence services, a concerned NSA and FBI have warned in their umpteenth advisory on the subject, saying that Russia's foreign intelligence services are actively exploiting five key previously known software vulnerabilities.
The agencies today published a new paper highlighting additional tactics, techniques, and procedures being used by Russia's SVR (foreign intelligence), in a bid to help network defenders mitigate a sustained threat.
The five previously known software vulnerabilies being widely abused are:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
The NSA said today (April 15): "NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations." IOCs, Yara Rules, and Hashes are here.
For those close to the cybersecurity community, the call to patch well-known critical software vulnerabilities may be a tired one. Yet too many organisations still appear happy to bolt the doors, lock the filing cabinets, screw in some CCTV and switch on their alarms, but leave a digital expressway into their systems wide open for for spooks and crooks with what is, effectively, a big red "welcome" sign dangling for any bad actor scanning for a way in.
With organisations often slow to patch -- where they do at all -- adversaries from nation states to cybercriminals can reduce the amount of resources they need to exploit targets. (They may otherwise choose to burn zero days -- previously unknown bug exploits --- on priority targets. Too often though, there's just no need.)
Both UK and US security agencies continue to urge public and private sector organisations to improve their patching. Today (April 15)'s note comes a year after the same set of agencies called on partners to help "degrade some foreign cyber threats... through an increased effort to patch their systems and implement programs to keep system patching up to date. [Patching these vulnerabilities] would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."
Government agencies are stepping up their pressure on companies to improve security as digital intrusions become a daily part of geopolitical tension -- with the private sector often inadvertently or sometimes intentionally (through supply chain attacks) caught up in a new great game of international cyber-whack-a-mole. Yet rudimentary security errors event at large organisations remain widely prevelant. Scores of companies across the FTSE 350 are still demonstrating “nakedly dangerous” protocol exposures for example, with Windows Remote Desktop (RDP), file-sharing (SMB), and Telnet exposed to the public internet, as The Stack reported today. Many common security issues can be addressed by some of the mitigations listed by the NSA today.
Follow The Stack on LinkedIn
These include:
- Keeping systems and products updated and patch as soon as possible after patches are released.
- Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions.
- Assume that a breach will happen, enforce least-privileged access, do regular account reviews.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in device configurations.
- Isolate Internet-facing services in a network DMZ to reduce exposure of the internal network.
- Enable robust logging of Internet-facing services and authentication functions.
- Continuously hunt for signs of compromise or credential misuse,particularly within cloud environments.
- Adopt a mindset that compromise happens: prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating.