CISACISA:E46D6B22DC3B3F8B062C07BD8EA4CB7CNSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks
0.975 High
EPSS
Percentile
100.0%
CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.
Specifically, SVR actors are targeting and exploiting the following vulnerabilities:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
Additionally the White House has released a statement formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:
- Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
- Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
- Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
- Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST
- Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP
- Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs
- Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page
- Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
CISA strongly encourages users and administrators to review Joint CSA: Russian SVR Targets U.S. and Allied Networks for SVR tactics, techniques, and procedures, as well as mitigation strategies.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we’d welcome your feedback.
References
/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf
cyber.dhs.gov/ed/21-01/
media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF
nvd.nist.gov/vuln/detail/CVE-2018-13379
nvd.nist.gov/vuln/detail/CVE-2019-11510
nvd.nist.gov/vuln/detail/CVE-2019-19781
nvd.nist.gov/vuln/detail/CVE-2019-9670
nvd.nist.gov/vuln/detail/CVE-2020-4006
us-cert.cisa.gov/ncas/alerts/aa20-352a
us-cert.cisa.gov/ncas/alerts/aa21-008a
us-cert.cisa.gov/ncas/alerts/aa21-077a
us-cert.cisa.gov/ncas/analysis-reports/ar21-039a
us-cert.cisa.gov/ncas/analysis-reports/ar21-039b
us-cert.cisa.gov/remediating-apt-compromised-networks
www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/
www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/
Related
