NSA, FBI, CISA Statement on Russian SVR Activity

Summary of the Statement

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint statement on five different vulnerabilities that the Foreign Intelligence Service of the Russian Federation (SVR RF) is known to be exploiting currently.

How does this affect your business?

Even if your business is not a target of the SVR RF, other threat actors such as ransomware gangs, are taking advantage of the same vulnerabilities. Therefore, if you have been using any of the affected product versions, you should take them offline, upgrade to the most recent version, and begin an incident response process to verify your servers are not compromised. Additionally, Cymonix recommends performing the same process on other recently exploited products such as SolarWinds Orion and Microsoft Exchange Server.

Affected Product Versions & Associated CVEs

• Fortinet FortiGate VPN

• Version: Fortinet FortiOS6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12

• CVE: CVE-2018-13379

• Synacor Zimbra Collaboration Suite

• Version: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10

• CVE: CVE-2019-9670

• Pulse Secure Pulse Connect Secure VPN

• Version: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

• CVE: CVE-2019-11510

• Citrix Application Delivery Controller and Gateway

• Version: CitrixADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b

• CVE: CVE-2019-19781

• VMware Workspace ONE Access

• Version: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 -3.3.3 on Linux, VMware Identity Manager Connector 3.3.1-3.3.3 and 19.03, VMware Cloud Foundation 4.0-4.1, and VMware Vrealize Suite Lifecycle Manager8.x

• CVE: CVE-2020-4006

Remediation

If your business is running any of the aforementioned product versions, upgrade immediately to the most recent versions following the guides for each product below:

• Fortinet FortiGate VPN

• https://docs.fortinet.com/vm

• Synacor Zimbra Collaboration Suite

• https://zimbra.github.io/zimbra-9/upgrade.html

• Pulse Secure Pulse Connect Secure VPN

• https://support.pulsesecure.net/product-service-policies/eol/software/pulse-connect-secure-software-dates-milestones/

• https://docs.pulsesecure.net/Content/A_PCS/Release_Notes.htm

• Citrix Application Delivery Controller and Gateway

• Upgrading: https://support.citrix.com/article/CTX267027

• Check for Vulnerability: https://github.com/cisagov/check-cve-2019-19781

• VMware Workspace ONE Access

• https://www.vmware.com/security/advisories/VMSA-2020-0027.html

• Solarwinds Orion

• https://www.solarwinds.com/sa-overview/securityadvisory

• Microsoft Exchange

• Version Details: https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now/

Additionally, Cymonix recommends beginning an incident response process on any servers exposed to the internet that are running these product versions, as they are actively being exploited in the wild.

Associated Links

NSA, FBI & CISA Statement: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/

CVE Links:

• CVE-2018-13379 Fortinet FortiGate VPN

• https://nvd.nist.gov/vuln/detail/CVE-2018-13379

• CVE-2019-9670 Synacor Zimbra Collaboration Suite

• https://nvd.nist.gov/vuln/detail/CVE-2019-9670

• CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN

• https://nvd.nist.gov/vuln/detail/CVE-2019-11510

• CVE-2019-19781 Citrix Application Delivery Controller and Gateway

• https://nvd.nist.gov/vuln/detail/CVE-2019-19781

• CVE-2020-4006 VMware Workspace ONE Access

• https://nvd.nist.gov/vuln/detail/CVE-2020-4006

If you would like to discuss further on any of the above topics feel free to Contact Us!