Russian hackers are exploiting these 11 flaws to attack businesses

The NCSC and US counterparts urge businesses to patch a handful of previously discovered flaws as soon as possible

The National Cyber Security Centre (NCSC) and counterparts in the US, including the FBI, are warning businesses that Russia’s intelligence service is actively exploiting 11 known flaws to attack businesses.

These vulnerabilities are present in a variety of software products that have already been patched, with the earliest discovered fixed in 2018. The hackers have enjoyed success exploiting them in recent months because many organisations are yet to apply the updates.

The threat groups in question, referred to collectively as SVR, represent a “technologically sophisticated and highly capable” threat, according to the NCSC.

The organisation outlined its warnings in a report jointly produced with the FBI, the US Cybersecurity Infrastructure Security Agency (CISA) and the NSA. SVR includes several high profile hacking groups including APT29 and Cozy Bear.

To illustrate how advanced their capabilities are, the force began changing its attack methods after these security agencies published a report last year detailing how the group was targeting organisations involved in COVID-19 vaccine development.

1. Fortinet’s Fortigate / FortiOS - CVE-2018-13379

Hackers are seeking to gain access to government, commercial and technology service networks by chaining several vulnerabilities together, including CVE-2018-13379. This flaw, which carries a score of 9.8 on the CVSS threat severity scale, is used specifically to let an attacker download system files through a specially crafted HTTP resource request. 

2. Cisco’s small business routers - CVE-2019-1653

Remote attackers are exploiting a vulnerability in the RV320 and RV325 Dual Gigabit WAN VPN routers for small businesses, manufactured by Cisco, to exfiltrate sensitive information. The vulnerability lies in improper access controls for URLs, with attackers able to exploit this by connecting an unaffected device through HTTP or HTTPS and requesting specific URLs. Attackers can also download the router configuration or detailed diagnostic information.

3. Oracle’s WebLogic Server - CVE-2019-2725

A decentralised flaw in Oracle WebLogic Server, used for building enterprise apps using Java EE standards, would allow hackers to launch remote code execution attacks over a network without the need for a username or password. To exploit the flaw, attackers would send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing it to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions. 

4. Synacor’s Zimbra Collaboration Suite - CVE-2019-9670

The mailbox component in Synacor’s Zimbra Collaboration Suite, a collaborative suite that includes an email server and a web client, is susceptible to XML External Entity Injection flaw. The Autodiscover Servlet component is used to read a Zimbra configuration file that contains an LDAP password for the account. The credentials are then used to get a user authentication cookie with an AuthRequest message, which, in turn, is used to launch a server-side request forgery attack. 

5. Pulse Connect Secure VPN - CVE-2019-11510

Several vulnerabilities in Pulse Connect Secure VPN devices have been chained together in order to spy on the US defence sector. The earliest of the three flaws, CVE-2019-11510, has routinely been exploited using several exploitations since it was first disclosed. It’s an arbitrary file reading flaw that allows sensitive information disclosure, allowing unauthenticated attackers to access private keys and user passwords. It can, therefore, be used as the basis for a wider attack.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

6. Various Citrix products - CVE-2019-19781

Hackers have, since last year, been exploiting a critical flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that allows them to perform arbitrary code execution on a network. The NCSC has also seen attackers deploying various additional payloads once exploitation has taken place. The scope of the flaw also includes Citrix ADC and Citrix Gateway Virtual Appliances hosted on any Citrix Hypervisor, ESX, Hyper-V, KVM, Azure, AWS, GCP, Citrix ADC MPX or Citrix ADC SDX. Citrix also believes the issue affects certain deployments of Citrix SD-WAN.

7. Elastic Stack’s Kibana - CVE-2019-7609

Kibana, a data visualisation dashboard software for Elasticsearch, was embedded with a remote code execution vulnerability in its Timelion tool. Hackers could exploit this flaw in unpatched deployments to send a request that will attempt to execute JavaScript code. This would lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. 

8. Various VMware products - CVE-2020-4006

State-backed Russian hackers are exploiting this critical flaw in several VMware products in order to access corporate data. The firm previously warned about this command injection flaw in its products, including Workspace One Access and Identity Manager. This vulnerability is a command injection flaw present in the administrative configurator. An attacker with network access on port 8443 and a valid password can execute commands with unrestricted privileges on the underlying operating system.

9. F5’s BIG-IP suite - CVE-2020-5902

Unauthenticated attackers, with network access to the configuration utility of the BIG-IP family of networking hardware and software products, could exploit this flaw to perform a variety of attacks. They can execute arbitrary system commands, create or delete files, disable services and execute Java code. This flaw can also lead to complete system compromise. This vulnerability was assigned a perfect score of ten on the CVSS scale.

10. Oracle’s WebLogic Server - CVE-2020-14882

This is the second Oracle WebLogic Server on the NCSC’s list. The flaw in the platform is easily exploited and allows attackers with network access via HTTP to fully compromise Oracle WebLogic Server deployments. Oracle released a patch to fix CVE-2020-14882 in November, but hackers are still exploiting this flaw with some success.

11. VMware’s virtualisation suite - CVE-2021-21972 

The vSphere Client (HTML5) is embedded with a critical remote code execution flaw in a vCenter Server plugin that allows attackers to execute commands with unrestricted privileges on the underlying operating system. This was patched in February alongside two other critical flaws in ESXi. The firm urged customers to patch their systems immediately, but SVR operators have since exploited the bugs to launch attacks against businesses. 

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021