US and UK security agencies jointly name Russian ‘Cozy Bear’ one of the APT groups behind campaigns against SolarWinds and once more urge organizations to patch the five vulnerabilities exploited in these attacks.
Russian foreign intelligence service hackers caused quite a stir with their SolarWinds (SolarBurst) campaign called one of the most extensive attacks in cyberdefense history. They are also responsible for cyberespionage campaigns against Covid-19 research facilities and high-profile hacks of VMware devices, according to the United States and the United Kingdom.
In a joint advisory by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), the agencies describe the ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities and give recommendations for mediation of the attacks.
The UK has likewise accused the Russian intelligence service of conducting the attacks.
In these supply-chain SolarWinds attacks Russian APTs gained access to the networks of tens of thousands of organizations around the world, including several US government agencies and cybersecurity companies FireEye and Mimecast.
Now the US has officially attributed these attacks to Russian Foreign Intelligence Service (SVR) actors APT29, Cozy Bear, and The Dukes.
The five reported vulnerabilities are:
- CVE-2018-13379 in Fortinet FortiGate VPN
- CVE-2019-9670 in Synacor Zimbra Collaboration Suite
- CVE-2019-11510 in Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 in Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 in VMware Workspace ONE Access
Many organizations are yet to apply the security patches available from the above companies and therefore, are urged to do so as soon as possible:
“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” said the cybersecurity advisory.