After the SolarWinds supply chain attack, there was a lot of speculation about those responsible. This week, the U.S. government and Biden administration formally sanctioned Russia, citing the SolarWinds attack and its involvement in disruptive tactics related to the 2020 election campaign.
What the Russian Government Has Been Involved In
Although the Russian Ministry of Foreign Affairs publicly denied on Thursday that they had any involvement in the SolarWinds attack or any disruption of the election campaign, U.S. security experts are confident that they are dropping blame on the right doorstep.
Earlier on Thursday, the FBI, NSA, and Cybersecurity and Infrastructure Security Agency (CISA) announced that they are tracking five known vulnerabilities that Russian Intelligence is using to exploit targets. On the heels of this announcement, President Biden formally sanctioned Russia and noted five Russian technology/security companies urging other governments and companies to steer clear of these perpetrators.
The five vulnerabilities are explained by Data Breach Today:
- “CVE-2018-13379: This vulnerability affects the Fortinet FortiOS operating system 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12, which is used in the company’s Secure Sockets Layer (SSL) Virtual VPN web portal. If exploited, it could allow an unauthenticated attacker to download system files via a specially crafted HTTP resource request.
- CVE-2019-9670: This flaw affects the Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. If exploited, it could allow an attacker to use an XML External Entity (XXE) injection.
- CVE-2019-11510: Exploits of this vulnerability in Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 could allow a remote attacker to send a specially crafted Uniform Resource Identifier to perform an arbitrary file read.
- CVE-2019-19781: This vulnerability affects Citrix ADC and Gateway versions before 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b. If exploited, it could allow for directory traversal.
- CVE-2020-4006: This vulnerability in VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1-3.3.3 on Linux, VMware Identity Manager Connector 3.3.1-3.3.3 and 19.03, VMware Cloud Foundation 4.0-4.1, and VMware vRealize Suite Lifecycle Manager 8.x could be exploited for command injection vulnerability.”
U.S. Government Sanctions
Biden hurled multiple economic sanctions at Vladimir Putin’s government last week and, according to Data Breach Today, is also
“sanctioning more than 30 Russian companies and individuals accused of supplying tools, infrastructure, and technologies for various cyber operations or participating in the election-related disinformation campaign.”
Along with the sanctions, Biden is expelling 10 Russian diplomats from the country.
Data Breach Today warns that “In addition, the Treasury Department will now prohibit U.S. financial institutions from participating in the primary market for ruble or non-ruble denominated bonds issued after June 14 by a number of Russian agencies, including the nation’s Central Bank, National Wealth Fund and Ministry of Finance.”
The Biden administration took these steps to “address the Russian government’s efforts to undermine the conduct of free and fair democratic elections and democratic institutions in the United States and its allies and partners; [and] to engage in and facilitate malicious cyber-enabled activities against the United States and its allies and partners.”