The National Cyber Security Centre (NCSC) and counterparts in the US, including the FBI, are warning businesses that Russia’s intelligence service is actively exploiting 11 known flaws to attack businesses.
These vulnerabilities are present in a variety of software products that have already been patched, with the earliest discovered fixed in 2018. The hackers have enjoyed success exploiting them in recent months because many organisations are yet to apply the updates.
The threat groups in question, referred to collectively as SVR, represent a “technologically sophisticated and highly capable” threat, according to the NCSC.
US, UK say Russia was behind SolarWinds hack The top 12 password-cracking techniques used by hackers Hackers leak data from dark web marketplace
The organisation outlined its warnings in a report jointly produced with the FBI, the US Cybersecurity Infrastructure Security Agency (CISA) and the NSA. SVR includes several high profile hacking groups including APT29 and Cozy Bear.
To illustrate how advanced their capabilities are, the force began changing its attack methods after these security agencies published a report last year detailing how the group was targeting organisations involved in COVID-19 vaccine development.
1. Fortinet’s Fortigate / FortiOS - CVE-2018-13379
Hackers are seeking to gain access to government, commercial and technology service networks by chaining several vulnerabilities together, including CVE-2018-13379. This flaw, which carries a score of 9.8 on the CVSS threat severity scale, is used specifically to let an attacker download system files through a specially crafted HTTP resource request.
2. Cisco’s small business routers - CVE-2019-1653
Remote attackers are exploiting a vulnerability in the RV320 and RV325 Dual Gigabit WAN VPN routers for small businesses, manufactured by Cisco, to exfiltrate sensitive information. The vulnerability lies in improper access controls for URLs, with attackers able to exploit this by connecting an unaffected device through HTTP or HTTPS and requesting specific URLs. Attackers can also download the router configuration or detailed diagnostic information.
3. Oracle’s WebLogic Server - CVE-2019-2725
A decentralised flaw in Oracle WebLogic Server, used for building enterprise apps using Java EE standards, would allow hackers to launch remote code execution attacks over a network without the need for a username or password. To exploit the flaw, attackers would send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing it to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions.
4. Synacor’s Zimbra Collaboration Suite - CVE-2019-9670
The mailbox component in Synacor’s Zimbra Collaboration Suite, a collaborative suite that includes an email server and a web client, is susceptible to XML External Entity Injection flaw. The Autodiscover Servlet component is used to read a Zimbra configuration file that contains an LDAP password for the account. The credentials are then used to get a user authentication cookie with an AuthRequest message, which, in turn, is used to launch a server-side request forgery attack.
5. Pulse Connect Secure VPN - CVE-2019-11510
Several vulnerabilities in Pulse Connect Secure VPN devices have been chained together in order to spy on the US defence sector. The earliest of the three flaws, CVE-2019-11510, has routinely been exploited using several exploitations since it was first disclosed. It’s an arbitrary file reading flaw that allows sensitive information disclosure, allowing unauthenticated attackers to access private keys and user passwords. It can, therefore, be used as the basis for a wider attack.
6. Various Citrix products - CVE-2019-19781
Hackers have, since last year, been exploiting a critical flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that allows them to perform arbitrary code execution on a network. The NCSC has also seen attackers deploying various additional payloads once exploitation has taken place. The scope of the flaw also includes Citrix ADC and Citrix Gateway Virtual Appliances hosted on any Citrix Hypervisor, ESX, Hyper-V, KVM, Azure, AWS, GCP, Citrix ADC MPX or Citrix ADC SDX. Citrix also believes the issue affects certain deployments of Citrix SD-WAN.
7. Elastic Stack’s Kibana - CVE-2019-7609
Kibana, a data visualisation dashboard software for Elasticsearch, was embedded with a remote code execution vulnerability in its Timelion tool. Hackers could exploit this flaw in unpatched deployments to send a request that will attempt to execute JavaScript code. This would lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
8. Various VMware products - CVE-2020-4006
State-backed Russian hackers are exploiting this critical flaw in several VMware products in order to access corporate data. The firm previously warned about this command injection flaw in its products, including Workspace One Access and Identity Manager. This vulnerability is a command injection flaw present in the administrative configurator. An attacker with network access on port 8443 and a valid password can execute commands with unrestricted privileges on the underlying operating system.
9. F5’s BIG-IP suite - CVE-2020-5902
Unauthenticated attackers, with network access to the configuration utility of the BIG-IP family of networking hardware and software products, could exploit this flaw to perform a variety of attacks. They can execute arbitrary system commands, create or delete files, disable services and execute Java code. This flaw can also lead to complete system compromise. This vulnerability was assigned a perfect score of ten on the CVSS scale.
10. Oracle’s WebLogic Server - CVE-2020-14882
This is the second Oracle WebLogic Server on the NCSC’s list. The flaw in the platform is easily exploited and allows attackers with network access via HTTP to fully compromise Oracle WebLogic Server deployments. Oracle released a patch to fix CVE-2020-14882 in November, but hackers are still exploiting this flaw with some success.
11. VMware’s virtualisation suite - CVE-2021-21972
The vSphere Client (HTML5) is embedded with a critical remote code execution flaw in a vCenter Server plugin that allows attackers to execute commands with unrestricted privileges on the underlying operating system. This was patched in February alongside two other critical flaws in ESXi. The firm urged customers to patch their systems immediately, but SVR operators have since exploited the bugs to launch attacks against businesses.
