The US Suffers Multiple Attacks By Russian Hackers

 

 

The news followed the Biden Administration’s sanctions against the Russian government, which formerly attributed SolarWinds supply-chain attack to the country’s foreign service: the Russian Foreign Intelligence Service (SVR) actors, also known as APT29, Cozy Bear, and The Dukes. “The US Intelligence Community has high confidence in its assessment of attribution to the SVR,” according to the White House statement. “The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide.”

 

The US National Security Agency (NSA) the Cybersecurity, the Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), has recently said that nation-state actors are using five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualisation technologies to attack US and allied national-security and government networks. 

 

 

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations. 

“NSA, CISA, and FBI also recognise all partners in the private and public sectors for comprehensive and collaborative efforts to respond to recent Russian activity in cyberspace”, says the NSA.

 

According to the NSA,the hackers are conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.” According to the NSA, the following are under widespread attack in cyber-espionage efforts:

CVE-2018-13379:   A directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. 

 

CVE-2019-9670:  This bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite.  Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. 

 

CVE-2019-11510:   In Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim’s networks. 

 

CVE-2019-19781:  This critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. 

 

CVE-2020-4006:   And finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. 

• Update systems and products as soon as possible after patches are released.

• Assume a breach will happen; review accounts and leverage the latest eviction guidance available.

• Disable external management capabilities and set up an out-of-band management network.

• Block obsolete or unused protocols at the network edge and disable them in client device configurations.

• Adopt a mindset that compromise happens: Prepare for incident response activities.

 

NSA:       The White House:     Threatpost:      Health IT Security:      Cyber News Group:      Image: Unsplash

 

 

Western Nations Face A ‘moment of reckoning’ Over Cyber Security: