The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory about sophisticated advanced persistent threat groups sequencing exploits for various vulnerabilities in cyberattacks focused at federal and state, local, tribal, and territorial (SLTT) government networks, election support systems and critical infrastructure. Although there were thriving attacks on the election support systems, there is no proof identified that indicates the breach of any election data so far.
Attackers are targeting some legacy vulnerabilities alongside lately found vulnerabilities, including CVE-2020-1472, a Windows Server Netlogon remote protocol vulnerability also called Zerologon. Microsoft issued a patch for the Zerologon on August 2020 Patch Tuesday however users are poorly implementing the patching.
Chaining vulnerabilities in just one cyberattack is not new. It is a frequent tactic employed by sophisticated hackers to compromise systems and apps, elevate privileges, and get persistent access to the networks of the victims.
The warning didn’t indicate which APT groups are executing the attacks, however, Microsoft a short while ago released a warning regarding the Mercury APT group – which has an association with Iran – exploiting the Zerologon to acquire access to government systems. Those attacks have been persistent for around two weeks.
CISA and the FBI revealed in the notification that attacks commence with the exploitation of legacy vulnerabilities located in VPNs and network access devices. In many attacks, preliminary access to networks was obtained via exploitation of vulnerability CVE-2018-13379 of the Fortinet FortiOS Secure Socket Layer (SSL) VPN as well as the MobileIron vulnerability CVE-2020-15505. Ransomware gangs are likewise taking advantage of the last-mentioned vulnerability subsequent to the advisory of a PoC exploit for the flaw.
Although the most current campaigns were performed exploiting the previously mentioned vulnerabilities, CISA/FBI advises that there are some other legacy vulnerabilities in Internet-facing infrastructure that may, in the same way, be taken advantage of in attacks for example:
- CVE-2019-19781 – Citrix Gateway/Citrix SD WAN WANOP vulnerability
- CVE-2020-5902 – F5 BIG-IP vulnerability
- CVE-2019-11510 – Pulse Secure vulnerability
- CVE2019-19751 – Citrix NetScaler vulnerability
- CVE-2020-2021 – Palo Alto Networks vulnerability
- CVE-2020-1631 – Juniper vulnerability
The moment a vulnerability is taken advantage of to acquire access to the victim’s system, the attackers then take advantage of lately identified vulnerabilities for example the Zerologon, which permits them to lift privileges to administrator, swipe usernames and passwords, and obtain access to Windows Active Directory servers and create persistent access to systems. Highly regarded tools including CrackMapExe and MimiKatz are usually utilized in the attacks.
As a result of the high probability for the exploitation of the Zerologon vulnerability, Microsoft gave a number of warnings telling institutions to implement the patch without delay, like the CERT Coordination Center and CISA
CISA and the FBI have advised some mitigations to prohibit these attacks, the most vital of which is patching the earlier mentioned vulnerabilities. Patching vulnerabilities in software programs and devices quickly and vigilantly is the best safeguard against APT groups.
Other necessary steps to take on are associated with more standard network practices and user management for instance:
- Apply multi-factor authentication on all VPN connections, if possible utilizing physical security tokens that are the best system of MFA, or otherwise employing authenticator application-based MFA.
- Discard unused VPN servers.
- Use strong passwords for all end-users and providers who ought to be connected by VPNs.
- Carry out audits of settings and use patches to management programs.
- Utilize separate admin accounts on different administration workstations.
- Keep track of network traffic for unforeseen or unapproved protocols, specifically outbound traffic to the net.
- Update all applications to the newest versions and put updates to be used instantly wherever possible.
- Protect Netlogon channel connections by ensuring that all domain controllers and read-only domain controllers are up-to-date.
- Prevent public access to weak unused ports for example port 445 and 135.
CISA and the FBI advise that any company having Internet-facing infrastructure must embrace an “assume Breach” thinking.
In the event of the discovery of CVE-2020-1472 or Netlogon activity or other evidence of valid credential abuse, it ought to be presumed that the APT actors have breached AD administrative accounts. The AD forest should never be entirely relied on, and, for that reason, a new forest must be deployed.
Since completely resetting an AD forest is complicated and tricky, organizations ought to consider finding support from third-party cybersecurity agencies with knowledge of efficiently doing the task.