The U.S. government, as part of the White House's announcement of new sanctions against Russia, is again calling on organizations to patch five vulnerabilities it claims that Russia’s Foreign Intelligence Service, SVR, is actively exploiting.

The joint request came this morning from the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).

It’s not the first time the federal entities have made the bugs known and it may not be the last.

According to the advisory, the vulnerabilities include:

• CVE-2018-13379 Fortinet FortiGate VPN
• CVE-2019-9670 Synacor Zimbra Collaboration Suite
• CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
• CVE-2019-19781 Citrix Application Delivery Controller and Gateway
• CVE-2020-4006 VMware Workspace ONE Access

According to the agencies, Russia is using the five vulnerabilities in order to give its intelligence service a leg up so it can gain a foothold into organizations and steal credentials.

CISA has warned about almost all of the vulnerabilities before.

It said last year that Russian state-sponsored actors were exploiting the VMware bug, a command injection vulnerability in the administrative configurator component in a handful of its products: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. VMware released a workaround to address the zero-day vulnerability in November before releasing a patch on December 3 last year.

CISA also warned about the Citrix vulnerability – an arbitrary code execution bug via directory traversal - last year, saying that attackers had compromised numerous organizations that were using vulnerable Citrix devices. Citrix first warned about the bug in December 2019, right before the holidays, but didn't fully release firmware updates for all products affected by the vulnerability until January 24, 2020.

The Pulse Secure vulnerability (CVE-2019-11510) – a critical arbitrary file reading vulnerability – might be the most popular and the most dangerous bug here; it’s popped up in a handful of CISA advisories over the years; including a recap of some of the top bugs the agency saw exploited by foreign hackers last year. It's been used by attackers working for the Chinese Ministry of State Security, attackers based in Iran, and Russia. Thousands of VPN server endpoints were vulnerable to CVE-2019-11510 two summers ago. Pulse Secure released an out-of-cycle advisory for the bug in April 2019 but that didn't stop attackers from targeting unpatched servers.

Despite being the oldest vulnerability here, both the FBI and CISA said earlier this month they've seen an uptick in APT groups scanning for the Fortinet vulnerability (CVE-2018-13379) meaning it could be one of the SVR’s favorite as of late. The vulnerability, a path traversal vulnerability in the FortiOS SSL VPN web portal, could allow attackers to steal VPN credentials by downloading the FortiOS system files.

The company patched the bug in May 2019 but clearly not every entity has patched.

The one bug that hasn't found itself into a CISA advisory is CVE-2019-9670, an XML external entity injection bug in Zimbra, the open source email suite. Researchers in 2019 shared how the bug could be chained together to lead to remote code execution; assuming an organization never patched, they'd still be vulnerable. The National Cyber Security Centre, NSA, and CISA did include CVE-2019-9670 in a report about how APT 29 was targeting COVID-19 vaccine development last July however; the report also mentioned attackers were exploiting vulnerabilities in Citrix, Pulse Secure, and FortiGate.

The attacks carried out by SVR actors run the gamut, according to the NSA, CISA, and FBI. In addition to exploiting public facing applications, compromising supply chains, exploiting software for credential access, and forging web credentials - that's where the SAML abuse comes into play.

The warning came on the same day the White House formally attributed last year's supply chain attack on SolarWinds' Orion platform to SVR, also known as APT 29, and Cozy Bear.

In a statement, the U.S. said its intelligence community has "high confidence in its assessment of attribution to the SVR." In addition to SolarWinds, the NSA/FBI/CISA advisory claims the SVR's activities also include targeting COVID-19 research facilities via malware, WellMess, exploiting a VMware vulnerability to tamper with SAML (Security Assertion Markup Language) authentication.

While Russia being the culprit behind the SolarWinds hack has long been the narrative, today's attribution - the sanctions also blame Russia for interfering with the 2020 election – is the US’ first retaliatory response to Russia's escalating cyber aggression.

In scope, it's one of if not the largest condemnation of nation state hacking by the U.S. government to date.

In addition to publicly pinning the SolarWinds hack on the SVR, the Biden administration also announced it would be imposing sanctions on six Russian tech companies the administration claims help support Russia's intelligence program. It’s also leveraging financial penalties and expelling 10 diplomats from the Russian embassy.

As part of the penalties, the U.S. announced prohibitions on banks trading Russian government debt after June 14. This action, put in motion by the U.S. Treasury, forbids U.S. banks from buying government bonds from the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, or the Ministry of Finance of the Russian Federation. The goal is to halt one of the country’s main ways it funds its government.

“This Executive Order sends a signal that the United States will impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions,” the White House announcement reads.