Widely deployed platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware are all in the crosshairs of APT29, bent on stealing credentials and more.
The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.
According to the U.S. National Security Agency (NSA), which issued an alert Thursday, the advanced persistent threat (APT) group known as APT29 (a.k.a. Cozy Bear or The Dukes) is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.”
The targets include U.S. and allied national-security and government networks, it added.
The five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.
“Some of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,” said researchers with Cisco Talos, in a related posting on Thursday. “Please note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption…to detect exploitation of these vulnerabilities.”
The NSA has linked APT29 to Russia’s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent SolarWinds supply-chain attack to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.
The 5 Vulnerabilities Being Actively Exploited
According to the NSA, the following are under widespread attack in cyber-espionage efforts:
CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)
CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)
CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)
CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)
CVE-2020-4006 VMware Workspace ONE Access (command injection)
“Vulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,” Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. “Four of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST’s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.”