Hackers used VPN flaws to access US govt elections support systems

Government-backed hackers have compromised and gained access to US elections support systems by chaining together VPN vulnerabilities and the recent Windows CVE-2020-1472 security flaw.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says that advanced persistent threat (APT) actors used this vulnerability chaining tactic to target federal and SLTT (state, local, tribal, and territorial) government networks, as well as election organizations, and critical infrastructure.

Election support systems compromised

“Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” says a joint security advisory published by CISA and the FBI.

Despite that, CISA added that it is “aware of some instances where this activity resulted in unauthorized access to elections support systems.”

However, there is no evidence that the advanced persistent threat (APT) actors were able to use their access to compromise the “integrity of elections data” as CISA explains.

To gain access to these systems, the attackers exploited Internet-exposed servers using the CVE-2018-13379 vulnerability in the Fortinet FortiOS Secure Socket Layer (SSL) VPN or the CVE-2020-15505 flaw in the MobileIron Unified Endpoint Management (UEM) for mobile devices to gain initial access.

Afterward, they exploited CVE-2020-1472 (aka Zerologon), a critical security flaw in the Windows Netlogon authentication protocol that allows attackers to elevate privileges to domain administrator after successful exploitation, enabling them to take control over the entire domain and to change users’ password.

“Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials,” CISA adds. “Observed activity targets multiple sectors, and is not limited to SLTT entities.”

Last week, Microsoft also warned of Iranian-backed hacking group MERCURY (aka MuddyWaterSeedWorm, and TEMP.Zagros) actively exploiting Zerologon in their attacks.

VPN bugs that could be used in future attacks

Even though the APT hackers have exploited the CVE-2018-13379 FortiOS SSL VPN web portal vulnerability to gain network access, CISA warns that they could use any other vulnerability to target unpatched and Internet-facing network edge devices in their attacks.

CISA advises organizations that could be targeted by these attacks to immediately patch all known flaws within their internet-exposed network infrastructure.

The US cybersecurity agency highlights the following vulnerabilities as ones that APT actors could most likely use in future attacks against government and critical infrastructure networks to gain initial access:

Some of them have already been used in previous attacks exploiting the CVE-2019-11510 Pulse VPN flaw, the CVE-2019-19781 Citrix NetScaler bug, and the CVE-2020-5902 critical F5 BIG-IP flaw.

In September, Microsoft has also warned of Russian, Chinese, and Iranian APT actors targeting the 2020 US elections.

Microsoft’s report confirmed intelligence shared by the US govt in July and August on Russian, Iranian, and Chinese hackers trying to “compromise the private communications of U.S. political campaigns, candidates and other political targets.”

This month, CISA has also alerted of an increasing number of Emotet attacks that have targeted multiple US state and local governments.

[출처 : BleepingComputer / 10.12.]