IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Russian hackers are exploiting these 11 flaws to attack businesses

The NCSC and US counterparts urge businesses to patch a handful of previously discovered flaws as soon as possible

The National Cyber Security Centre (NCSC) and counterparts in the US, including the FBI, are warning businesses that Russia’s intelligence service is actively exploiting 11 known flaws to attack businesses.

These vulnerabilities are present in a variety of software products that have already been patched, with the earliest discovered fixed in 2018. The hackers have enjoyed success exploiting them in recent months because many organisations are yet to apply the updates.

The threat groups in question, referred to collectively as SVR, represent a “technologically sophisticated and highly capable” threat, according to the NCSC.

The organisation outlined its warnings in a report jointly produced with the FBI, the US Cybersecurity Infrastructure Security Agency (CISA) and the NSA. SVR includes several high profile hacking groups including APT29 and Cozy Bear.

To illustrate how advanced their capabilities are, the force began changing its attack methods after these security agencies published a report last year detailing how the group was targeting organisations involved in COVID-19 vaccine development.

1. Fortinet’s Fortigate / FortiOS - CVE-2018-13379

Hackers are seeking to gain access to government, commercial and technology service networks by chaining several vulnerabilities together, including CVE-2018-13379. This flaw, which carries a score of 9.8 on the CVSS threat severity scale, is used specifically to let an attacker download system files through a specially crafted HTTP resource request. 

2. Cisco’s small business routers - CVE-2019-1653

Remote attackers are exploiting a vulnerability in the RV320 and RV325 Dual Gigabit WAN VPN routers for small businesses, manufactured by Cisco, to exfiltrate sensitive information. The vulnerability lies in improper access controls for URLs, with attackers able to exploit this by connecting an unaffected device through HTTP or HTTPS and requesting specific URLs. Attackers can also download the router configuration or detailed diagnostic information.

3. Oracle’s WebLogic Server - CVE-2019-2725

A decentralised flaw in Oracle WebLogic Server, used for building enterprise apps using Java EE standards, would allow hackers to launch remote code execution attacks over a network without the need for a username or password. To exploit the flaw, attackers would send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing it to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions. 

4. Synacor’s Zimbra Collaboration Suite - CVE-2019-9670

The mailbox component in Synacor’s Zimbra Collaboration Suite, a collaborative suite that includes an email server and a web client, is susceptible to XML External Entity Injection flaw. The Autodiscover Servlet component is used to read a Zimbra configuration file that contains an LDAP password for the account. The credentials are then used to get a user authentication cookie with an AuthRequest message, which, in turn, is used to launch a server-side request forgery attack. 

5. Pulse Connect Secure VPN - CVE-2019-11510

Several vulnerabilities in Pulse Connect Secure VPN devices have been chained together in order to spy on the US defence sector. The earliest of the three flaws, CVE-2019-11510, has routinely been exploited using several exploitations since it was first disclosed. It’s an arbitrary file reading flaw that allows sensitive information disclosure, allowing unauthenticated attackers to access private keys and user passwords. It can, therefore, be used as the basis for a wider attack.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

6. Various Citrix products - CVE-2019-19781

Hackers have, since last year, been exploiting a critical flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that allows them to perform arbitrary code execution on a network. The NCSC has also seen attackers deploying various additional payloads once exploitation has taken place. The scope of the flaw also includes Citrix ADC and Citrix Gateway Virtual Appliances hosted on any Citrix Hypervisor, ESX, Hyper-V, KVM, Azure, AWS, GCP, Citrix ADC MPX or Citrix ADC SDX. Citrix also believes the issue affects certain deployments of Citrix SD-WAN.

7. Elastic Stack’s Kibana - CVE-2019-7609

Kibana, a data visualisation dashboard software for Elasticsearch, was embedded with a remote code execution vulnerability in its Timelion tool. Hackers could exploit this flaw in unpatched deployments to send a request that will attempt to execute JavaScript code. This would lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. 

8. Various VMware products - CVE-2020-4006

State-backed Russian hackers are exploiting this critical flaw in several VMware products in order to access corporate data. The firm previously warned about this command injection flaw in its products, including Workspace One Access and Identity Manager. This vulnerability is a command injection flaw present in the administrative configurator. An attacker with network access on port 8443 and a valid password can execute commands with unrestricted privileges on the underlying operating system.

9. F5’s BIG-IP suite - CVE-2020-5902

Unauthenticated attackers, with network access to the configuration utility of the BIG-IP family of networking hardware and software products, could exploit this flaw to perform a variety of attacks. They can execute arbitrary system commands, create or delete files, disable services and execute Java code. This flaw can also lead to complete system compromise. This vulnerability was assigned a perfect score of ten on the CVSS scale.

10. Oracle’s WebLogic Server - CVE-2020-14882

This is the second Oracle WebLogic Server on the NCSC’s list. The flaw in the platform is easily exploited and allows attackers with network access via HTTP to fully compromise Oracle WebLogic Server deployments. Oracle released a patch to fix CVE-2020-14882 in November, but hackers are still exploiting this flaw with some success.

11. VMware’s virtualisation suite - CVE-2021-21972 

The vSphere Client (HTML5) is embedded with a critical remote code execution flaw in a vCenter Server plugin that allows attackers to execute commands with unrestricted privileges on the underlying operating system. This was patched in February alongside two other critical flaws in ESXi. The firm urged customers to patch their systems immediately, but SVR operators have since exploited the bugs to launch attacks against businesses. 

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022