US government is being targeted by the Russian SVR aka APT29
US government is being targeted by the Russian SVR aka APT29
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here.
Russian SVR is following their predictable trend of exploiting publicly known vulnerabilities against US government to get authenticated access of critical infrastructures. They are targeting COVID-19 research facilities by exploiting VMware Zero-Day vulnerability and deploying WellMess Malware.
The Techniques used by the APT29 include:
- Exploiting public-facing applications (T11902)
- Leveraging external remote services (T1133)
- Compromising supply chains (T1195)
- Using valid accounts (T1078)
- Exploiting software for credential access (T1212)
- Forging web credentials: SAML tokens (T1606.002)
The 5 vulnerabilities targeted are:
- CVE-2018-13379 Fortinet
- CVE-2019-9670 Zimbra
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2020-4006 VMware
Actor Details
Name: APT 29 Known as: Cozy Bear, The Dukes, Group 100, Yttrium, Iron Hemlock, Minidionis, CloudLook, Grizzly Steppe, CozyCar, CozyDuke Origin: Russia Targeted Locations: Austria, Brazil, China, France, Germany, Hungary, Japan, Mexico, Netherlands, New Zealand, Norway, Portugal, South Korea, Spain, Turkey, Ukraine, United States, Uzbekistan Targeted Sectors: Academic, Aerospace, Energy, Extractive, Financial Services, Government, Industrials, Engineering, Insurance, Media, NGOs, Nonprofits Oil and Gas, Pharmaceuticals, Technology
Vulnerability Details
Download the pdf file here to read the Vulnerability details, including CVE ID, Affected Versions, Affected CPE, Vulnerability Description and CWE ID.
Patch Links
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033 https://www.securityfocus.com/bid/108693 https://sec.hpi.de/vulndb/details/CVE-2019-9670 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 https://support.citrix.com/article/CTX267027 https://www.vmware.com/security/advisories/VMSA-2020-0027.html
References
https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF
https://securityaffairs.co/wordpress/116891/cyber-warfare-2/russia-svr-actively-targets-5-flaws.html
https://nvd.nist.gov/vuln/detail/CVE-2018-13379
https://nvd.nist.gov/vuln/detail/CVE-2019-9670
https://nvd.nist.gov/vuln/detail/CVE-2019-11510
https://nvd.nist.gov/vuln/detail/CVE-2019-19781
https://nvd.nist.gov/vuln/detail/CVE-2020-4006