Threat Watch

APT Using Two Vulnerabilities Together to Attack Government Networks

According to a joint report from the FBI and CISA on October 9th, 2020 an Advanced Persistent Threat (APT) was observed using two separate vulnerabilities to make their way into the networks of US federal, state, local and tribal government agencies. Some of the actions included access to elections support systems. No evidence that the integrity of the election has been compromised in any way was found, according to CISA. Additional government and non-government entities were targeted as well, and it does not appear that only election-related entities are being targeted. The threat actor is using CVE-2018-13379 which is a vulnerability in the Fortinet FortiOS Secure Socket Layer (SSL) VPN, an on-premise VPN server that is designed to be used as a secure gateway. The second vulnerability, CVE-2020-1472, is known as Zerologon, a vulnerability in the Netlogon protocol used by Windows workstations to authenticate against a Windows Server running as a domain controller. The attackers will start out using the VPN bug and once they gain access, take over the domain controllers in the victim organization’s network using Zerologon.

ANALYST NOTES

Threat actors commonly use older vulnerabilities to gain access to systems that are not patched quickly. it is important to apply updates and patches to systems as soon as they are available to reduce attack from happening. Hacking chains like this, where multiple vulnerabilities are used are becoming more common according to the report. It is important to understand that these two vulnerabilities are not the only ones that an attack like this can occur with. Any VPN vulnerability could allow an attacker to exploit it and move on to compromise the network. With the 2020 election moving closer, attacks that involve elections systems and entities will become more common. The threat actors behind the attack are not mentioned in the report but Microsoft warned last week that Iranian APT Mercury (Muddy Water) was seen exploiting the Zerologon vulnerability. Iran has also been seen targeting US government entities in the past. The CISA did not state at this time whether this attack chain is being used by Iranian actors.

More can be read here: https://www.zdnet.com/article/hacker-groups-chain-vpn-and-windows-bugs-to-attack-us-government-networks/