Commonly Exploited Vulnerabilities

Priority: High

 

Executive Summary:

In a series of coordinated cyber attacks beginning on the 14th January 2022, orchestrated by Russian state-sponsored actors, more than 70 Ukrainian government websites have been defaced or rendered inaccessible. Russian threat actors have used spear-phishing, brute-force and exploited known vulnerabilities to gain access to target networks by compromising third-party infrastructure/software or deploying custom malware. The actors have also demonstrated the ability to maintain persistence undetected long-term access in compromised environments by using legitimate credentials. Microsoft outlined a new destructive malware family attributed to a threat actor DEV-0586, called WhisperGate that disables Windows Defender Threat Protection and was discovered to have targeted multiple organisations in Ukraine. As a result, American Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have released a joint advisory on how to detect, respond to, and mitigate cyber attacks orchestrated by Russian state-sponsored actors.

The list of vulnerabilities exploited by Russian hacking groups to gain an initial foothold which are “common but effective,” are below:

CVE-2018-13379FortiGate VPNs
CVE-2019-1653Cisco router
CVE-2019-2725Oracle WebLogic Server
CVE-2019-7609Kibana
CVE-2019-9670Zimbra software
CVE-2019-10149Exim Simple Mail Transfer Protocol 
CVE-2019-11510Pulse Secure
CVE-2019-19781Citrix
CVE-2020-0688Microsoft Exchange
CVE-2020-4006VMWare (Note: this was a zero-day at the time) 
CVE-2020-5902F5 Big-IP
CVE-2020-14882Oracle WebLogic
CVE-2021-26855Microsoft Exchange (Note: Frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

Affected Products:

Multiple third-party vendor software, highlighted in the section above.

Recommendations and Best Practices:

To increase cyber resilience against this threat, ITC recommends installing the latest patches, mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.

Other recommended best practices are as follows:

  • Implement robust log collection and retention
  • Require accounts to have strong passwords
  • Enable strong spam filters to prevent phishing emails from reaching end-users
  • Implement rigorous configuration management programs
  • Disable all unnecessary ports and protocols
  • Ensure OT hardware is in read-only mode

Organisations should act quickly to apply these measures, which are outlined in the following section and available in the URLs cited in this bulletin’s sources and detailed in the advisory here.

React:

Since these common vulnerabilities were released in the past, between 2018-2021, they are part of the Qualys detection logic used to identify vulnerable devices and the current exposure. ITC’s managed Vulnerability Intelligence customers will have already had these identified using Qualys.

ITC’s Sentinel SIEM managed service actively monitors for indications of attackers who may leverage vulnerabilities such as these to gain access to customer networks, and our analysts conduct proactive threat hunting to search for related indicators of compromise.

Sources:

  1. https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42
  2. https://thecyberwire.com/newsletters/daily-briefing/11/11
  3. https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html
  4. https://unit42.paloaltonetworks.com/ukraine-cyber-conflict
  5. https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11
  6. https://www.cisa.gov/uscert/ncas/alerts/aa22-011a