Part of the attack was successful, with unauthorized intruders gaining “access to election support systems.”
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint security alert on Friday,Indicates that hackers are exploiting VPN and Windows vulnerabilities to break into government networks.
The attacks were mainly launched against government networks at the federal, state, local, county, and territory (SLTT) levels, and some non-government networks were also affected during the same period.
The security alert states, “Based on intelligence held by CISA,This round of attacks gave attackers unauthorized access to parts of the election support system; however, to date, there is no evidence that the integrity of election data has been compromised. “
“With the election still some time away, the attackers do not appear to have made a particularly clear choice of targets, but this incident highlights the security risks to election information stored on government networks,” the officials added. “
This Attack Combines FORTINET VPN with WINDOWS ZEROLOGON Vulnerability
According to the joint alert, this round of attacks combined and exploited two security vulnerabilities, CVE-2018-13379 and CVE-2020-1472.
CVE-2018-13379 is a vulnerability in Fortinet’s FortiOS SSL VPN, a local VPN server, a secure gateway used to access corporate networks from remote locations. Officially disclosed last year, CVE-2018-13379 allows attackers to take over Fortinet VPN servers by uploading malicious files on unpatched systems.
CVE-2020-1472, also known as Zerologon, is a security vulnerability in Netlogon. Netlogon is an important protocol for Windows workstations to authenticate Windows Servers as domain controllers. The security flaw allows attackers to take over domain controller and server users, manage the entire internal/corporate network, and in particular all access workstation passwords contained within it.
CISA and the FBI explained that,Attackers combined the two vulnerabilities to hijack Fortinet servers and use Zerologon to manipulate and take over the internal network.
“The attackers then use legitimate remote access tools (e.g. VPN, RDP) in conjunction with the stolen credentials to access the internal environment,” the two added.
The joint alert did not reveal details about the attackers, other than to describe them as “advanced persistent threat (APT) actors.”
Cybersecurity experts generally use APT actors to describe state-sponsored hacking groups. Microsoft also said last week that it observed APT Mercury (Muddy Watter) from Iran exploiting the Zerologon bug in a recent attack. Notably, the threat group has carried out several high-profile attacks on U.S. government agencies.
The linkage of multiple VPN vulnerabilities has become a new attack trend and a major threat factor
CISA and the FBI advised U.S. private and public sector entities to update their systems to fix the two vulnerabilities, which were officially released a few months ago.
In addition, CISA and the FBI also warned that hackers could replace the Fortinet vulnerability in this attack with other similar vulnerabilities in VPN and gateway products (the corresponding patches have also been released), so as to achieve the same unauthorized access effect.
Related vulnerabilities include:
Pulse Secure “Connect” Enterprise VPN (CVE-2019-11510)
Palo Alto Networks “Global Protect” VPN Server (CVE-2019-1579)
Citrix “ADC” Server with Citrix Network Gateway (CVE-2019-19781)
MobileIron Mobile Device Management Server (CVE-2020-15505)
F5 BIG-IP Network Equalizer (CVE-2020-5902)
All of the vulnerabilities listed above are for “initial access” to servers deployed at the edge of enterprise and government networks. These vulnerabilities can also be easily combined with the Zerologon Windows vulnerability to implement a similar intrusion attack as this Fortinet VPN + Zerologon.
The Links: T7H816750400 LTM170E4-L01