Alert - APT Actors Target U.S. and Allied Networks - update 1

Number: AL21-007 UPDATE 1
Date: 15 April 2021
Updated: 7 May 2021

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) issued a Joint Cybersecurity Advisory [1] detailing targeting and exploitation of several vulnerabilities by advanced persistent threat (APT) actors.

UPDATE 1

On 7 May 2021 the United Kingdom's National Cyber Security Centre (NCSC-UK) published an advisory which outlines additional information associated with APT actors which includes exploited vulnerabilities and post exploitation techniques. [6]

ASSESSMENT

On 15 April 2021, the NSA, CISA, and FBI issued a Joint Cybersecurity Advisory [1], drawing attention to widespread scanning and exploitation of several vulnerabilities by APT actors. The advisory states that the APT actors are targeting vulnerable systems to obtain authentication credentials and enable further access within networks, including national security and government systems.

Examples of recent activity include compromising SolarWinds Orion updates, targeting COVID-19 research facilities, and leveraging a VMWare vulnerability for authentication abuse.

The Cybersecurity Advisory highlights the following vulnerabilities being exploited:

  • CVE-2018-13379 Fortinet [2], [3]
  • CVE-2019-9670 Zimbra [3]
  • CVE-2019-11510 Pulse Secure [3], [4]
  • CVE-2019-19781 Citrix [3]
  • CVE-2020-4006 VMware [5]

UPDATE 1 [6]

  • CVE-2020-5902 F5 Big-IP
  • CVE-2020-14882 Oracle WebLogic
  • CVE-2021-21972 VMWare vSphere
  • CVE-2019-1653 Cisco router
  • CVE-2019-2725 Oracle WebLogic Server
  • CVE-2019-7609 Kibana
  • CVE-2021-26857 Exchange (SOAP payload)
  • CVE-2021-26858 Exchange (Arbitrary files)
  • CVE-2021-27065 Exchange (Arbitrary files)

The Cyber Centre is highlighting this advisory, as it provides important information to system owners and operators responsible for defending their systems and networks from cyber threats.

There are software updates and mitigations for these vulnerabilities. See past reporting by the Cyber Center and partners for more details.

Should activity matching the content of this Alert be discovered, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).

REFERENCES

[1] APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks (NSA, CISA, FBI)
https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF

[2] Cyber Centre Alert on Exploitation of Fortinet FortiOS vulnerabilities (CISA, FBI) (AL21-005)
https://cyber.gc.ca/en/alerts/exploitation-fortinet-fortios-vulnerabilities-cisa-fbi

[3] Joint Advisory: APT29 targets COVID-19 vaccine development
https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF

[4] Continued threat actor exploitation post Pulse Secure VPN patching (CISA) (AL20-012)
https://cyber.gc.ca/en/alerts/continued-threat-actor-exploitation-post-pulse-secure-vpn-patching-cisa

[5] Active exploitation of VMware vulnerability (AL20-027)
https://cyber.gc.ca/en/alerts/active-exploitation-vmware-vulnerability

[6] Joint advisory: Further TTPs associated with APT cyber actors
https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors

NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: