Threat actors have found an efficient method to breach government networks. By combining VPN and Windows vulnerabilities, they have gained access to state, local, tribal, and territorial government networks.
The information comes from a security alert published by FBI and CISA.
According to CISA, in some cases, attackers have gained unauthorized access to elections support systems. However, the agency has no confirmed information that the integrity of election data has been compromised.
“Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” the security alert says.
What Vulnerabilities Have Attackers Been Exploiting?
Two specific security flaws were chained – CVE-2018-13379 and CVE-2020-1472. The first vulnerability is located in the Fortinet FortiOS Secure Socker Layer (SSL) VPN. The application is an on-premise VPN server that serves as a secure gateway for access to enterprise networks from remote locations. It is a path traversal vulnerability in the FortiOS SSL VPN web portal that could enable unauthenticated attackers to download files via specially crafted HTTP resource requests.
CVE-2020-1472 is an elevation of privilege flaw that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. This could happen by using the Netlogon Remote Protocol (MS-NRPC). As a result of a successful exploit, the attacker could run a specially crafted application on a device on the targeted network. The vulnerability is also known as Zerologon.
According to the joint security alert, attackers are using the two vulnerabilities in combination. There is no information about the attackers but the researchers say APT groups are behind them.
Other Vulnerabilities Could Be Chained with CVE-2020-1472
These are not the only vulnerabilities that APT groups can exploit. FBI and CISA researchers say that attackers can replace the Fortinet bug with other similar flaws that enable initial access to servers, such as:
- CVE-2019-11510 in Pulse Secure “Connect” enterprise VPNs
- CVE-2019-1579 in Palo Alto Networks “Global Protect” VPN servers
- CVE-2019-19781 in Citrix “ADC” servers and Citrix network gateways
- CVE-2020-15505 in MobileIron mobile device management servers
- CVE-2020-5902 in F5 BIG-IP network balancers
Any of the listed flaws can be chained with the Zerologon bug, the researchers warned.