Cyber Crime

SolarWinds Hack – US officially Blames Russian Intel Agency Hackers


The US has designated 6 Russian technology companies involved in developing tools to facilitate malicious cyber activities like the SolarWinds hack.

In a new development, the United States and the United Kingdom have announced that hackers working for the Russian Foreign Intelligence Service (SVR) are behind the infamous SolarWinds hack and other recently targeted espionage campaigns including attacks on COVID-19 vaccine research facilities.

FBI, NSA, CISA on one page

In a joint cybersecurity advisory [PDF], the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) state that hackers linked to SVR are also exploiting vulnerabilities in five popular VPN services. These include the following:

CVE-2020-4006 VMware

CVE-2018-13379 Fortinet

CVE-2019-9670 Zimbra

CVE-2019-19781 Citrix

CVE-2019-11510 Pulse Secure

Initial SolarWinds Supply Chain Breach

Microsoft and Palo Alto Networks both confirmed that SolarWinds’ Orion software breach was an APT group’s work. The supply chain attack was initially reported on December 8th, 2020, when FireEye confirmed being targeted by a state-backed group that stole its Red Team assessment tools.

On December 13th, 2020, SolarWinds announced that it was hacked and its software channel was compromised to put out malicious updates on approx. 18,000 of its Orion platform users, referring to an ongoing supply chain attack.

Who is SVR?

The Foreign Intelligence Service of the Russian Federation (SVR) is Russia’s external intelligence agency. The cybersecurity fraternity also identifies the agency as The Dukes, CozyBear, Grizzly Bear, CozyCar, or APT29.

For the last few years, SVR is reportedly behind large-scale cyber-attacks including exploiting zero-days, malware infection, authentication abuse, and targeted attacks on facilities involved in research and development of the Covid-19 vaccine.

Retaliation from the US

In response to actions that include the SolarWinds hack,  the United States has expelled 10 top Russian diplomats from the country and also announced new sanctions on Russia, reports Associated Press (AP).

On the other hand, the U.S. Department of the Treasury has revealed that 6 Russian technology firms were involved in developing tools that played a vital role in the SolarWinds hack. 

  1. Neobit, OOO (Neobit)
  2. ERA Technopolis; Pasit, AO (Pasit)
  3. Advanced System Technology, AO (AST); and 
  4. Pozitiv Teknolodzhiz, AO (Positive Technologies).
  5. Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA).

The private and state-owned companies designated today enable the Russian Intelligence Services’ cyber activities. These companies provide a range of services to the FSB, GRU, and SVR, ranging from providing expertise, to developing tools and infrastructure, to facilitating malicious cyber activities, the Department said in a press release.

Time to install security patches

Last week, CISA and the FBI announced that advanced persistent threat (APT) nation-state actors are exploiting known vulnerabilities in the Fortinet FortiOS including targeting the vulnerable devices with Cringe ransomware.

It is noteworthy that Fortinet has already released related security patches however companies who are yet to update their systems are at risk.

FortiOS SSL VPNs are used in border firewalls. These are responsible for cordoning off sensitive internal networks from other public Internet connections.

About FortiOS bugs

The CVE-2018-13379 is a path-traversal bug in Fortinet FortiOS in which the SSL VPN web portal lets an unauthorized attacker download system files through specially designed HTTP resource requests.

The CCVE-2019-5591 bug is a default configuration vulnerability allowing an unauthenticated attacker on the same subnet to capture sensitive information simply by mimicking the LDAP server.

The CVE-2020-12812 is an improper authentication flaw in the FortiOS SSL VPN that lets a user successfully login without being prompted for FortiToken (the second factor of authentication) if they change the username case.

In a blog post, the company warns that “If you are not running the latest release for your release train, you should look at the Fortinet PSIRT Website to assess the potential risks that this could pose in your environment.”

You can also go through the security advisory issued by the United Kingdom’s National Cyber Security Center on risks surrounding the vulnerable FortiOS SSL VPN servers.


Comments
To Top

Pin It on Pinterest

Share This