Hackers Chaining 'Zerologon,' Other VulnerabilitiesCISA Says APTs Gained Access to State and Local Election Support Systems
The U.S. Cybersecurity and Infrastructure Security Agency is warning that sophisticated hacking groups are chaining together vulnerabilities, such as the recent "Zerologon" bug and other flaws, to target state, local, tribal and territorial government networks.
In some cases, the attackers gained access to what CISA calls "election support systems" within government networks, but the security agency stressed that no election data has been compromised, according to the warning issued Friday.
CISA warns that these advanced persistent threat groups are attempting to exploit legacy vulnerabilities as well as newer privilege escalation flaws, such as the Zerologon bug recently uncovered in Windows Server.
Malicious cyber actors are exploiting legacy vulnerabilities against SLTT, Critical Infrastructure, and Elections Organizations. Read our joint advisory with the @FBI for technical details and recommended actions: https://t.co/FDbCpPdNbV #InfoSec #InfoSecurity #Protect2020 pic.twitter.com/D2Clny9zUI— Cybersecurity and Infrastructure Security Agency (@CISAgov) October 10, 2020
"The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application," according to CISA, which issued its warning with input from the FBI. "Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks."
Although the CISA alert did not offer specific details about the APTs using these vulnerabilities to target government networks, Microsoft's security team warned that it had detected an Iranian-backed hacking group called Mercury trying to exploit the Zerologon flaw over the last two weeks (see: Iranian Hackers Exploiting 'Zerologon' Flaw).
Since August, Microsoft has warned its users to apply a partial patch that the company issued for the Zerologon vulnerability. In September, CISA began issuing warnings about the flaw, noting that threat actors were looking to take advantage of unpatched systems (see: Warning: Attackers Exploiting Windows Server Vulnerability).
With less than a month to go before the November elections, CISA, the FBI and other U.S. agencies have been issuing a string of warnings about election security and attempts by hacking groups, both foreign and domestic, to interfere or spread disinformation (see: FBI, CISA Warn of DDoS Attacks Targeting November Election).
The CISA alert notes that several of these hacking groups have recently begun to exploit legacy vulnerabilities in network access devices and VPNs as part of an initial attack. The APT groups then look to exploit newer flaws, such as Zerologon, to gain administrative privileges, capture additional passwords and usernames, move laterally through the network and maintain persistence, according to Friday's alert.
Many of the legacy vulnerabilities these hacking groups are exploiting have been known for months or years, and vendors and security researchers have urged users to apply patches or fixes. According to CISA, some of the commonly exploited chaining vulnerabilities are:
- CVE-2018-13379, an improper pathname vulnerability found in multiple versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download system files via special crafted HTTP resource requests;
- CVE-2019-19781, an arbitrary code vulnerability found in Citrix Gateway and Citrix SD-WAN WANOP appliances. In December 2019, researchers at security firm Positive Technologies released a report that found this bug could affect some 80,000 companies in 158 countries.
- CVE-2020-15505, a remote code execution vulnerability in MobileIron Core and Connector administrative portals that could enable attackers to execute arbitrary code through unspecified vectors.
Although not observed in this campaign, other vulnerabilities could be used to gain network access, according to CISA. These include:
- CVE-2019-11510, a file-reading vulnerability found in unpatched Pulse Connect Secure enterprise VPN servers;
- CVE-2020-2021, an authentication vulnerability in Palo Alto Networks' PAN-OS that could allow unauthenticated network-based attackers to access protected resources;
- CVE-2020-5902, a remote code execution vulnerability in F5's BIG-IP network products. In July, CISA published an alert warning that threat actors were exploiting this vulnerability to exfiltrate data, access networks, carry out commands, create or delete files and disable services.
In the alert, CISA notes that it has detected attacks looking to exploit the vulnerability in the Fortinet FortiOS VPN. To a lesser extent, these hacking groups have also attempted to take advantage of the flaws in the MobileIron products.
"While these exploits have been observed recently, this activity is ongoing and still unfolding," according to CISA.
Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, noted recently on Twitter that the MobileIron vulnerability is being exploited by ransomware gangs as well.
Yeah the MobileIron one is hot, somebody published an exploit and now the ransomware peeps are walking in to orgs. https://t.co/Y1hc2yNujZ— Kevin Beaumont (@GossiTheDog) October 10, 2020
Once these hacking groups exploit the older vulnerabilities, they turn to taking advantage of other unpatched systems and devices to escalate their administrative privileges within compromised networks, including trying to access Windows Active Directory (see: Why Hackers Abuse Active Directory).
Most recently, these hacking groups have been attempting to exploit the Zerologon flaw in Windows Server. This vulnerability affects Windows Server's Netlogon Remote Protocol, or MS-NRPC - an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft's initial alert about the bug.
The Zerologon vulnerability, which is tracked as CVE-2020-1472, has been given a CVSS score of 10 - the most critical - and Microsoft has urged its user to apply a partial patch. A full fix is not expected until 2021.
"Post initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers," according to CISA.
The CISA alert also notes that the hacking groups are using open-source tools, such as Mimikatz and CrackMapExec, to obtain valid Active Directory credentials. Once these networks have been compromised, the APTs can maintain persistence within the networks using these credentials.
In addition to patching for these vulnerabilities, the CISA alert recommends a few additional steps that organizations can take to prevent potential attacks, including:
- Implementing multifactor authentication on all VPN connections to increase security. CISA suggests that physical security tokens are the most secure for this, followed by app-based authentication;
- Discontinuing unused VPN servers to reduce the attack surface because hackers are known to exploit unused VPN servers as a point of entry;
- Auditing configuration and patch management programs as well as monitoring and addressing noncompliant devices that are using vulnerable Netlogon secure channel connections;
- Blocking public access to potentially vulnerable ports, such as port 445, which is used for the Server Message Block network protocol, and port 135, which is used for a remote procedure call connection;
- Updating all Domain Controllers and Read-Only Domain Controllers.
Managing Editor Scott Ferguson contributed to this report.