NSA: 5 Security Bugs Under Active Nation-State Cyberattack

Widely deployed platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware are all in the crosshairs of APT29, bent on stealing credentials and more.

The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.

According to the U.S. National Security Agency (NSA), which issued an alert Thursday, the advanced persistent threat (APT) group known as APT29 (a.k.a. Cozy Bear or The Dukes) is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.”

The targets include U.S. and allied national-security and government networks, it added.

Join experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.

The five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.

“Some of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,” said researchers with Cisco Talos, in a related posting on Thursday. “Please note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption…to detect exploitation of these vulnerabilities.”

The NSA has linked APT29 to Russia’s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent SolarWinds supply-chain attack to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.

The 5 Vulnerabilities Being Actively Exploited

According to the NSA, the following are under widespread attack in cyber-espionage efforts:

  • CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)
  • CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)
  • CVE-2020-4006 VMware Workspace ONE Access (command injection)

“Vulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,” Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. “Four of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST’s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.”


A directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. “This can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,” according to Cisco Talos.

The NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.

The nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that APTs were actively exploiting the bug.


This bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.


In Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim’s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.

“This can be abused by attackers to access sensitive information, including private keys and credentials,” explained Cisco Talos researchers.

Last April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.

At the time, DHS warned that attackers who have already exploited the flaw to snatch up victims’ credentials were using those credentials to move laterally through organizations, rendering patches useless.

Then September, a successful cyberattack on an unnamed federal agency was attributed to exploitation of the bug. “It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability – CVE-2019-11510 – in Pulse Secure,” according to CISA’s alert at the time. “CVE-2019-11510…allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.”


This critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix rolled out patches amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.

It affects Citrix ADC and Gateway versions before,,, and and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.


And finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.

Nonetheless, in December the NSA warned that foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.

It affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

How Can I Protect Against Cyberattacks?

The NSA recommended several best practices to protect organizations from attack:

  • Update systems and products as soon as possible after patches are released.
  • Assume a breach will happen; review accounts and leverage the latest eviction guidance available.
  • Disable external management capabilities and set up an out-of-band management network.
  • Block obsolete or unused protocols at the network edge and disable them in client device configurations.
  • Adopt a mindset that compromise happens: Prepare for incident response activities.

“If publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations’ understanding of risk and basic IT hygiene,” Tim Wade, technical director on the CTO team at Vectra, told Threatpost. “The unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.”

He added, “This underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur – their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.”

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 

Suggested articles