NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russia and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before,,, and and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.