NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks

Original release date: April 15, 2021 | Last revised: April 16, 2021

CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.

Specifically, SVR actors are targeting and exploiting the following vulnerabilities:

• CVE-2018-13379 Fortinet FortiGate VPN
• CVE-2019-9670 Synacor Zimbra Collaboration Suite
• CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
• CVE-2019-19781 Citrix Application Delivery Controller and Gateway
• CVE-2020-4006 VMware Workspace ONE Access

Additionally the White House has released a statement formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:

• Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
• Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
• Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
• Malware Analysis Report AR21-039A: MAR-10318845-1.v1 – SUNBURST
• Malware Analysis Report AR21-039B: MAR-10320115-1.v1 – TEARDROP
• Table: SolarWinds and Active Directory/M365 Compromise – Detecting APT Activity from Known TTPs
• Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page
• Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise

CISA strongly encourages users and administrators to review Joint CSA: Russian SVR Targets U.S. and Allied Networks for SVR tactics, techniques, and procedures, as well as mitigation strategies.

Source link