Threat actors have been chaining vulnerabilities in Windows and Virtual Private Network (VPN) services to target various government agencies, critical infrastructure and election organizations, according to a warning by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI). The technique, which involves exploiting several flaws over the course of a single attack to infiltrate an organization’s network, is part of the gangs' ramped-up efforts ahead of the US presidential election.
“This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” reads the advisory issued by the agencies.
And while CISA did note that some of the attackers’ activities have led to unauthorized access to elections support systems, the agency doesn’t have any evidence to conclude that the integrity of the elections has been jeopardized in any way.
The chains
The threat actors have been exploiting several legacy vulnerabilities in VPN services together with the Windows Netlogon elevation of privilege vulnerability tracked as CVE-2020-1472 and patched in August to gain unauthorized network access. Threat actors have been seen leveraging this flaw, also known as Zerologon, in tandem for example with the vulnerability indexed as CVE-2018-13379 and residing in FortiOS Secure Socket Layer (SSL) VPN.
“After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials,” the agencies warned.
RELATED READING: Black Hat 2020: Fixing voting issues – boiling the ocean?
Additionally, cybercriminals have been observed exploiting a remote code execution vulnerability in MobileIron Core & Connector. The flaw, tracked as CVE-2020-15505, could allow attackers to gain administrative-level privileges to a system; however, its exploitation hasn’t been as widespread.
The advisory also sets out a list of other vulnerabilities that could be used to compromise internet-facing infrastructure and gain network access, such as CVE-2020-19781 in Citrix NetScaler, CVE-2019-11510 in Pulse Secure VPN, and the vulnerability indexed as CVE-2020-5902 and affecting F5 Networks’ BIG-IP multi-purpose networking devices.
To mitigate the chances of being compromised, the CISA and the FBI advise organizations to keep their systems up-to-date and apply the latest available security patches where available. Moreover, institutions should update both their VPN and network infrastructure and use multi-factor authentication when signing into their respective VPN services. If they suspect that credential abuse is afoot, organizations should run comprehensive account resets.
This is just the latest in a series of advisories published by the two federal agencies in the run-up to the 2020 presidential election. Last month, for example, they issued a warning about disinformation campaigns spreading rumors and false claims about hacked voting systems.