- CVE-2018-13379 Fortinet®
- CVE-2019-9670 Zimbra®
- CVE-2019-11510 Pulse Secure®
- CVE-2019-19781 Citrix®
- CVE-2020-4006 VMware®
Recommended Mitigation Procedures to Counter this Cyber Threat Event
Due to the scope and complexity of this current cyber threat event, the N.S.A., CISA, and F.B.I. recommend immediate actions to mitigate the impact of these attacks. Failure to mitigate these issues poses unique cybersecurity challenges that elevate national security issues because sensitive data related to U.S. policies, strategies, plans, ongoing operations, and competitive advantages are exposed. The specific techniques utilized in this current threat event include:
-
Exploiting public-facing applications (T11902)
-
Leveraging external remote services (T1133)
-
Compromising supply chains (T1195)
-
Using valid accounts (T1078)
-
Exploiting software for credential access (T1212)
-
Forging web credentials: SAML tokens (T1606.002)
The following list of Common Vulnerabilities and Exposures (C.V.E.s) list highlights the specific threat vectors being utilized by Russian Intelligence Service state actors: CVE-2018-1337: In Fortinet Secure Sockets Layer (SSL) Virtual Private Network (VPN) web portals, an Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. Advisory: APT29 target COVID-19 vaccine development (U/OO/152680-20) Mitigating Recent VPN Vulnerabilities (U/OO/196888-19) Affects: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 CVE-2019-9670: In Synacor Zimbra Collaboration Suite, the mailbox component has an XML External Entity injection (X.X.E.) vulnerability. Advisory: APT29 target COVID-19 vaccine development (U/OO/152680-20) CVE-2019-11510: In Pulse Secure VPNs, an unauthenticated, remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. Advisory: APT29 target COVID-19 vaccine development (U/OO/152680-20) Mitigating Recent VPN Vulnerabilities (U/OO/196888-19) Affects: Pulse Connect Secure (P.C.S.) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. CVE-2019-19781: Citrix® Application Delivery Controller (A.D.C.) and Gateway allow directory traversal. Advisory: APT29 target COVID-19 vaccine development (U/OO/152680-20) Detect and Prevent Web Shell Malware (U/OO/134094-20) Mitigate CVE-2019-19781 (U/OO/103100-20) Affects: Citrix A.D.C. and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b. CVE-2020-4006: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector have a command injection vulnerability. Advisory: Russian State-Sponsored Actors Exploiting Vulnerability in VMware Workspace O.N.E. Access Using Compromised Credentials (U/OO/195076-20) Perform Out-of-Band Network Management (U/OO/169570-20) Affects: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 - 3.3.3 on Linux, V.M. The F.B.I. has shared a detailed infographic outlining this current cyber threat with recommendations about countering it.
They recommend the following steps to act against this threat:
-
Update systems and products as soon as possible after patches are released.
-
Assume a breach will happen; review accounts and leverage the latest eviction guidance available.
-
Disable external management capabilities and set up an out-of-band management network.
-
Block obsolete or unused protocols at the network edge and disable them in client device configurations.
-
Reduce exposure of the local network by separating internet-facing services into a small, isolated network.
-
Enable robust logging of internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly in cloud environments.
-
Adopt a mindset that compromise happens: Prepare for incident response activities.
Develop a Nimbler Cyber Threat Response Protocol with a Trusted Cybersecurity Partner
When it comes to cybersecurity, smaller I.T. teams face perhaps the most daunting task in the industry. These teams are often stretched thin, as they are responsible for overseeing every aspect of information technology within an organization. This includes everything from maintaining hardware and software systems, ensuring smooth network operations, to managing complex databases
On top of these substantial responsibilities, they must also tackle the critically important role of safeguarding the organization’s digital assets from cyber threats. More often than not, these small teams lack a dedicated cybersecurity specialist, which means the task of protecting sensitive data and systems is often juggled along with other I.T. duties.
Even when a team does include a security professional, cybercriminals operate around the clock, far beyond traditional working hours, making it impossible for any single individual to monitor and respond to threats 24/7. This situation leaves smaller teams with two difficult choices:
- attempt to manage the cybersecurity landscape on their own with limited resources
- seek additional funding to invest in advanced cybersecurity tools and solutions.
However, the introduction of Gradient has revolutionized this scenario. Gradient offers a robust solution by blending cutting-edge proprietary technology with the expertise of seasoned security professionals. Their Cognitive Library enables the creation of A.I.-driven cybersecurity assessments tailored specifically for your organization.
By partnering with Gradient, your small-scale I.T. team gains access to tools and support that streamline the management of security tasks, effectively fortifying your systems against cyber threats without imposing a significant financial burden. This partnership empowers your team to enhance their cybersecurity measures while maintaining focus on other crucial I.T. responsibilities.