Russian hackers are exploiting these 11 flaws to attack businesses

The NCSC and US counterparts urge businesses to patch a handful of previously discovered flaws as soon as possible

The National Cyber Security Centre (NCSC) and counterparts in the US, including the FBI, are warning businesses that Russia’s intelligence service is actively exploiting 11 known flaws to attack businesses.

These vulnerabilities are present in a variety of software products that have already been patched, with the earliest discovered fixed in 2018. The hackers have enjoyed success exploiting them in recent months because many organisations are yet to apply the updates.

The threat groups in question, referred to collectively as SVR, represent a “technologically sophisticated and highly capable” threat, according to the NCSC.

The organisation outlined its warnings in a report jointly produced with the FBI, the US Cybersecurity Infrastructure Security Agency (CISA) and the NSA. SVR includes several high profile hacking groups including APT29 and Cozy Bear.

To illustrate how advanced their capabilities are, the force began changing its attack methods after these security agencies published a report last year detailing how the group was targeting organisations involved in COVID-19 vaccine development.

1. Fortinet’s Fortigate / FortiOS - CVE-2018-13379

Hackers are seeking to gain access to government, commercial and technology service networks by chaining several vulnerabilities together, including CVE-2018-13379. This flaw, which carries a score of 9.8 on the CVSS threat severity scale, is used specifically to let an attacker download system files through a specially crafted HTTP resource request. 

2. Cisco’s small business routers - CVE-2019-1653

Remote attackers are exploiting a vulnerability in the RV320 and RV325 Dual Gigabit WAN VPN routers for small businesses, manufactured by Cisco, to exfiltrate sensitive information. The vulnerability lies in improper access controls for URLs, with attackers able to exploit this by connecting an unaffected device through HTTP or HTTPS and requesting specific URLs. Attackers can also download the router configuration or detailed diagnostic information.

3. Oracle’s WebLogic Server - CVE-2019-2725

A decentralised flaw in Oracle WebLogic Server, used for building enterprise apps using Java EE standards, would allow hackers to launch remote code execution attacks over a network without the need for a username or password. To exploit the flaw, attackers would send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing it to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions. 

4. Synacor’s Zimbra Collaboration Suite - CVE-2019-9670

The mailbox component in Synacor’s Zimbra Collaboration Suite, a collaborative suite that includes an email server and a web client, is susceptible to XML External Entity Injection flaw. The Autodiscover Servlet component is used to read a Zimbra configuration file that contains an LDAP password for the account. The credentials are then used to get a user authentication cookie with an AuthRequest message, which, in turn, is used to launch a server-side request forgery attack. 

5. Pulse Connect Secure VPN - CVE-2019-11510

Several vulnerabilities in Pulse Connect Secure VPN devices have been chained together in order to spy on the US defence sector. The earliest of the three flaws, CVE-2019-11510, has routinely been exploited using several exploitations since it was first disclosed. It’s an arbitrary file reading flaw that allows sensitive information disclosure, allowing unauthenticated attackers to access private keys and user passwords. It can, therefore, be used as the basis for a wider attack.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

6. Various Citrix products - CVE-2019-19781

Hackers have, since last year, been exploiting a critical flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that allows them to perform arbitrary code execution on a network. The NCSC has also seen attackers deploying various additional payloads once exploitation has taken place. The scope of the flaw also includes Citrix ADC and Citrix Gateway Virtual Appliances hosted on any Citrix Hypervisor, ESX, Hyper-V, KVM, Azure, AWS, GCP, Citrix ADC MPX or Citrix ADC SDX. Citrix also believes the issue affects certain deployments of Citrix SD-WAN.

7. Elastic Stack’s Kibana - CVE-2019-7609

Kibana, a data visualisation dashboard software for Elasticsearch, was embedded with a remote code execution vulnerability in its Timelion tool. Hackers could exploit this flaw in unpatched deployments to send a request that will attempt to execute JavaScript code. This would lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. 

8. Various VMware products - CVE-2020-4006

State-backed Russian hackers are exploiting this critical flaw in several VMware products in order to access corporate data. The firm previously warned about this command injection flaw in its products, including Workspace One Access and Identity Manager. This vulnerability is a command injection flaw present in the administrative configurator. An attacker with network access on port 8443 and a valid password can execute commands with unrestricted privileges on the underlying operating system.

9. F5’s BIG-IP suite - CVE-2020-5902

Unauthenticated attackers, with network access to the configuration utility of the BIG-IP family of networking hardware and software products, could exploit this flaw to perform a variety of attacks. They can execute arbitrary system commands, create or delete files, disable services and execute Java code. This flaw can also lead to complete system compromise. This vulnerability was assigned a perfect score of ten on the CVSS scale.

10. Oracle’s WebLogic Server - CVE-2020-14882

This is the second Oracle WebLogic Server on the NCSC’s list. The flaw in the platform is easily exploited and allows attackers with network access via HTTP to fully compromise Oracle WebLogic Server deployments. Oracle released a patch to fix CVE-2020-14882 in November, but hackers are still exploiting this flaw with some success.

11. VMware’s virtualisation suite - CVE-2021-21972 

The vSphere Client (HTML5) is embedded with a critical remote code execution flaw in a vCenter Server plugin that allows attackers to execute commands with unrestricted privileges on the underlying operating system. This was patched in February alongside two other critical flaws in ESXi. The firm urged customers to patch their systems immediately, but SVR operators have since exploited the bugs to launch attacks against businesses. 

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now


Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
The technology powering the future of shopping

The technology powering the future of shopping

16 Sep 2021