The mastermind that orchestrated the SolarWinds cyber attack may finally have a name. On Thursday, April 15th, the White House officially announced that the Russian Foreign Intelligence Service (SVR) - also known as APT 29, Cozy Bear, and The Dukes - was responsible for the campaign that exploited the SolarWinds Orion platform.

But the attacks are not over yet.

A joint advisory from the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) warns that SVR is still exploiting 5 vulnerabilities.

These attacks are harvesting authentication credentials to further comprise United States government networks.

Which Vulnerabilities is the Russian Intelligence Service (SVR) Exploiting?

Here are the 5 vulnerabilities currently being targeted by SVR:

  • CVE-2019-11510
  • CVE-2018-13379
  • CVE-2019-9670
  • CVE-2019-19781
  • CVE-2020-4006

Necessary patches should be installed for each of the above vulnerabilities immediately. For more detail on each vulnerability and patch download instructions, read on.

What is CVE-2019-11510?

The Pulse Secure vulnerability is the most critical vulnerability in this list. The vulnerability affects Pulse Secure VPN appliances. Once exploited, threat actors can access arbitrary files from the targeted VPN server.

Which Products are Affected?

CVE-2019-11510 affects the Pulse Secure VPN.

How to Download Patch for CVE-2019-11510

All users of Pulse Secure VPN must download corresponding patches from the Pulse Secure Download Center.

What is CVE-2018-13379?

This vulnerability has been exploited by threat actors in the past. This is a path traversal vulnerability in Fortinet’s FortiGate SSL VPN.

CVE-2018-13379 could be readily exploited by sending a specific request containing a path traversal sequence to a vulnerable Fortigate SSL VPN. This will allow threat actors to download and read files from the targeted device.

Which Products are Affected?

The following FortiGate firewall versions are impacted by CVE-2018-11379

  • Fortinet FortiOS 6.0.0 to 6.0.4
  • Fortinet FortiOS 5.6.3 to 5.6.7
  • Fortinet FortiOS 5.4.6 to 5.4.12:

For mitigation instructions, refer to this FortiGuard Labs article.

How to Download Patch for CVE-2018-13379

A patch for CVE-2018-13379 can be download from Fortguard here.

What is CVE-2019-9670?

CVE-2019-9670 is an XML External Entity injection (XXE) vulnerability in the Synacor Zimbra Collaboration Suite mailbox component. Once exploited, threat actors can view application server filestream files and interact with any back-end systems the targeted software has access to.

What Products are Affected?

CVE-2019-9670 impacts Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.

How to Download Patch for CVE-2019-9670

Patches for CVE-2019-9670 can be downloaded for the following affected Zimbra versions:

What is CVE-2019-19781?

CVE-2019-19781 is a directory traversal vulnerability for the Citrix Application Discovery Controller and Citrix Gateway. It was first discovered on December 17, 2019. Once exploited, an attacker can establish remote accesses to write a file to a location on the targeted disk.

Refer to this CISA post for CVE-2019-19781 detection instructions.

What Products are Affected?

The following products are impacted by CVE-2019-19781:

  • Citrix NetScaler ADC and NetScaler Gateway version 10.5
  • Citrix ADC and NetScaler Gateway version 11.1
  • Citrix ADC and NetScaler Gateway version 12.0
  • Citrix ADC and NetScaler Gateway version 12.1
  • Citrix ADC and Citrix Gateway version 13.0

For mitigation steps, refer to this Citrix Knowledge Base article.

How to Download Patches for CVE-2019-19781

Patches for different Citrix product versions can be downloaded via the following links:

What is CVE-2020-4006?

CVE-2020-4006 is a VMware command injection vulnerability. To exploit this vulnerability, network access to the administrator configure port (usually 8443) is required, alongside a valid password for the admin account.

Once exploited, an attacker can inject commands with unrestricted privileges on the targeted operating system.

What Products are Affected?

The following products are impacted by CVE-2020-4006:

  • VMware Cloud Foundation® 6 4.x
  • VMware vRealize Suite Lifecycle Manager® 7 8.x
  • VMware vIDM® 5 3.3.1, 3.3.2 and 3.3.3 on Linux
  • VMware Access® 3 20.01 and 20.10 on Linux®4
  • VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03

How to Download Patch for CVE-2020-4006

Patches for affected VMware products can be downloaded from the VMware knowledge base.

Detect All Vulnerabilities In Your Ecosystem with UpGuard

UpGuard integrates a data leak detection engine with Third-Party Risk management, to create the world’s leading attack surface monitoring solution.

Test the security of your website, CLICK HERE to receive your instant security score now!

Ready to see
UpGuard in action?