CISA, FBI, NSA reveal five enterprise bugs exploited by Russia's APT29 group

Three US security agencies have published on Thursday a joint advisory to expose and draw attention to five vulnerabilities in popular enterprise equipment that have and are still being abused by Russian state hackers to breach corporate and government networks.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) named the Russian hackers by their real-world identity —as the Russian Foreign Intelligence Service (SVR) — rather than their usual APT29 and Cozy Bear codenames used by the cybersecurity industry.

The reason was that the joint advisory was released at the same time with a sweeping set of economic sanctions against the Russian government, Russian tech firms, and Russian nationals.

In the sanctions, the Biden administration formally accused the SVR and its hacking units of orchestrating the SolarWinds supply chain attack.

The joint security advisory was meant to expose additional tactics that the SVR is still using today to attack US and allied private and public networks.

CISA, the FBI, and the NSA said the SVR frequently scans networks for systems that have been left unpatched for publicly known vulnerabilities "in an effort to obtain authentication credentials to allow further access."

Targeted vulnerabilities included:

• CVE-2018-13379 - impacting Fortinet's FortiOS
• CVE-2019-9670 - impacting the Zimbra Collaboration Suite
• CVE-2019-11510 - impacting Pulse Secure VPNs
• CVE-2019-19781 - impacting Citrix ADC network gateways
• CVE-2020-4006 - impacting VMware Workspace ONE Access

Multiple prior warnings existed

All the five vulnerabilities are well-known and have been previously abused in attacks by both nation-state threat actors and cybercrime groups.

For example, the SVR had previously used the first four vulnerabilities from the list above to target and breach the networks of companies working in COVID-19 vaccine development, according to a joint US-UK security alert published in July 2020 [PDF].

The NSA also released a security advisory in December 2020 warning US companies that Russian hackers were also abusing the fifth bug, the VMWare vulnerability.

Previously, the NSA had also warned US companies and government agencies in October 2019 that Russian state actors were exploiting the Fortinet and Pulse Secure VPN bugs to breach networks [see PDF].

The Citrix vulnerability was also included on an NSA list of top bugs exploited by nation-states to plant web shells [see PDF].

"Mitigation against these vulnerabilities is critically important as US and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors," the NSA said in a press release.

The three agencies have frequently published similar advisories over the past two-three years in order to sabotage foreign hacking operations. The targets of these advisories previously also included Chinese, Iranian, and North Korean hacking groups.