A joint U.S. and UK advisory has identified 25 vulnerabilities tied to an exploitation campaign by Russia state-sponsored threat actors, specifically APT 29 — the group behind the infamous SolarWinds hack. GreyNoise actively tracks 12 of the 25 vulnerabilities mentioned in the advisory. To provide real-time, actionable context, GreyNoise has detected that nine of these vulnerabilities are being actively probed by attackers, offering critical insights for organizations to prioritize their defenses.
Executive Summary
- The U.S. and UK governments issued a joint advisory warning of Russian state-sponsored cyber threats, specifically from APT 29, the group responsible for the SolarWinds hack.
- The advisory identifies 25 CVEs across major platforms (Cisco, Citrix, Microsoft, etc.) that are being opportunistically scanned by attackers.
- Tracking 12 of the 25 CVEs in the advisory, GreyNoise’s real-time intelligence shows nine of these vulnerabilities are currently experiencing active probing.
- The advisory urges organizations to patch vulnerabilities to mitigate the threat and prevent potential exploitation.
Given the real-time nature of GreyNoise’s observations, the set of actively targeted vulnerabilities is likely to change over time. Please check the GreyNoise Visualizer for the latest information.
What GreyNoise Is Seeing
GreyNoise observes internet traffic via its global network of sensors and honeypots, allowing it to track and classify behavior as malicious or benign.
While the advisory outlines 25 vulnerabilities, GreyNoise is uniquely positioned to provide real-time insights, identifying the nine CVEs currently being probed. These active scans are part of mass, opportunistic efforts, a tactic commonly used by threats actors like APT 29 (Cozy Bear), although GreyNoise does not attribute malicious activity directly.
12 GreyNoise-Tracked CVEs in the Advisory — Nine Actively Probed Right Now
Of the 12 GreyNoise-tracked CVEs mentioned in the joint advisory, GreyNoise observes exploitation or reconnaissance activity across the following:
- CVE-2023-20198 — Cisco IOS XE Web UI Privilege Escalation
- CVE-2023-4966 — Citrix NetScaler ADC Buffer Overflow
- CVE-2021-27850 — Apache Tapestry Deserialization of Untrusted Data
- CVE-2021-41773 — Apache HTTP Server Path Traversal
- CVE-2021-42013 — Apache HTTP Server Path Traversal
- CVE-2018-13379 — Fortinet FortiOS SSL VPN Path Traversal
- CVE-2023-42793 — JetBrains TeamCity Authentication Bypass
- CVE-2023-29357 — Microsoft SharePoint Server Privilege Escalation
- CVE-2023-35078 — Ivanti Endpoint Manager Mobile Authentication Bypass
These vulnerabilities cover a wide range of products critical to business operations and infrastructure, making this real-time data invaluable for defenders to prioritize patching.
Mass Opportunistic Scanning in the Spotlight
In the joint advisory, the agencies highlighted the threat of mass opportunistic scans and the focus thereof by Russian intelligence:
“This mass scanning and opportunistic exploitation of vulnerable systems, as opposed to more targeted operations, increase the threat surface to include virtually any organization with vulnerable systems.
The SVR [Russian Foreign Intelligence] takes advantage of opportunistic victims to host malicious infrastructure, conduct follow-on operations from compromised accounts, or to attempt to pivot to other networks.”
The advisory comes at a time when attackers are increasingly relying on mass opportunistic scanning to compromise organizations, making it critical that organizations leverage real-time intelligence showing when and where attackers are engaged in reconnaissance and exploitation activity.
Recommendations to Protect your Organization
- Patch Immediately: Ensure the nine vulnerabilities identified by GreyNoise as being actively probed are patched as soon as possible.
- Monitor Real-Time Activity: Stay vigilant by leveraging real-time intelligence, which can help organizations track shifts in attacker activity.
- Strengthen Defenses: Take steps to harden security controls, such as deploying firewall blocklists and reinforcing access control policies, to mitigate the risk of successful exploitation.
For more details, read the full U.S. and UK report here.