Menu Close

Not so ‘Cozy Bear’ – 5 Security Bugs Under Active Nation-State Cyber-Attack!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

US Federal Agencies are warning that nation-state actors are once again after US assets, this time in a string of cyber-attacks that exploit 5 vulnerabilities that affect VPN solutions, collaboration-suite software & virtualisation technologies.

Widely used platforms from Citrix, Fortinet, Pulse Secure, Synacor & VMware are all targets of APT29, bent on stealing credentials & more.

National Security Agency

According to the US National Security Agency (NSA), which issued an alert Thurs., the advanced persistent threat (APT) group known as APT29 (a.k.a. Cozy Bear or The Dukes) is conducting “widespread scanning & exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.”

The targets include US & allied national security & govt. networks, it added.

The 5 bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor & VMware (detailed below) that organisations should patch immediately, researchers warned.

Metasploit Modules

“Some of these vulnerabilities also have working Metasploit modules & are currently being widely exploited,” stated researchers with Cisco Talos, in a related posting on Thurs. “Please note that some of these vulnerabilities exploit applications using SSL. This means that users should enable SSL decryption…to detect exploitation of these vulnerabilities.”

The NSA has linked APT29 to Russia’s Foreign Intelligence Services (SVR). The news comes as the US formally attributed the recent SolarWinds supply-chain attack to the SVR & issued sanctions on Russia for cyber-attacks & what President Biden called out as interference with US elections.

5 Vulnerabilities – Actively Exploited

States the NSA, the following are under widespread attack in cyber-espionage efforts:

  • CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)
  • CVE-2019-19781 Citrix Application Delivery Controller & Gateway (directory traversal)
  • CVE-2020-4006 VMware Workspace ONE Access (command injection)

Lack of Diligence

“Vulnerabilities in 2 VPN systems, 2 virtualisation platforms & 1 collaboration solution seem to be a mighty combo,” Dirk Schrader, Global VP of Security Research at New Net Technologies, explained.

“4 of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the US, given that all are either rated as severe or even critical in NIST’s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cyber-security control, even more so in pandemic times.”


A directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access & download system files, by sending specially crafted HTTP resource requests. “This can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,” according to Cisco Talos.

The NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.

The nation-state issue is ongoing: Earlier in April, the FBI & the Cyber-Security & Infrastructure Security Agency (CISA) warned that APTs were actively exploiting the bug.


This bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.


In Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim’s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, & 9.0 before 9.0R3.4.

“This can be abused by attackers to access sensitive information, including private keys & credentials,” explained Cisco Talos researchers.

Last April, the US Dept. of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyber-attacks targeted companies who had previously patched a related flaw in the VPN family.

US Federal Agency 

At the time, DHS warned that attackers who have already exploited the flaw to snatch up victims’ credentials were using those credentials to move laterally through organisations, rendering patches useless.

Then in Sept., a successful cyber-attack on an unnamed US Federal agency was attributed to exploitation of the bug.

“It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability – CVE-2019-11510 – in Pulse Secure,” according to CISA’s alert at the time. “CVE-2019-11510…allows the remote, unauthenticated retrieval of files, including passwords. CISA in the US has observed wide exploitation of CVE-2019-11510 across the US Federal Govt.”


This critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) & Gateway that can allow remote code-execution. It was 1st disclosed as a zero-day in Dec. 2019, after which Citrix rolled out patches amidst dozens of proof-of-concept exploits & skyrocketing exploitation attempts.

It affects Citrix ADC & Gateway versions before,,, & & SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, & 5100-WO versions before 10.2.6b & 11.0.3b.


Finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager & Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.

However, in Dec. the NSA warned that foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State players were using the bug to pilfer protected data & abuse shared authentication systems, it observed.

It affects VMware One Access 20.01 & 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 & 19.03, VMware Cloud Foundation 4.0 – 4.1, & VMware Vrealize Suite Lifecycle Manager 8.x.

Protect Against Cyber-Attacks?

The NSA recommended several best practices to protect organisations from attack:

  • Update systems & products as soon as possible after patches are released.
  • Assume a breach will happen; review accounts & Uge the latest eviction guidance available.
  • Disable external management capabilities & set up an out-of-band management network.
  • Block obsolete or unused protocols at the network edge & disable them in client device configurations.
  • Adopt a mindset that compromise happens: Prepare for incident response activities.

Patchable Exploits

“If publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organisations’ understanding of risk & basic IT hygiene,” Tim Wade, Technical Director on the CTO team at Vectra, explained.

“The unfortunate reality is that for many organisations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organisations to fully manage.”

He concluded, “This underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur – their imperative is to detect, respond & recover from those events to expel adversaries before material damage is realised.”

Virtual Conference May 2021


More To Explore

Community Area


Home Workouts


spaghetti Bolognese