Attackers Chaining Together Netlogon, VPN Bugs to Attack Govts
CISA is warning that attackers are chaining together the recent Netlogon vulnerability, along with VPN vulnerabilities, to hack government networks.
Two months after it was patched by Microsoft, issues involving a troublesome vulnerability in the Windows Netlogon Remote Protocol continue to pop up.
Now attackers are leveraging the critical flaw, dubbed Zerologon, in vulnerability chains with other legacy vulnerabilities, in order to compromise networks.
The Cybersecurity & infrastructure Agency (CISA) warned about the campaign on Friday, saying its observed advanced persistent threat (APT) actors chaining together CVE-2020-1472, the Netlogon vulnerability, with other vulnerabilities to attack government networks. Specifically, attackers have had federal and SLTT governments - a way the Department of Homeland Security classifies state, local, tribal, and territorial governments – in their crosshairs.
While CISA, which wrote the advisory (.PDF) along with the Federal Bureau of Investigation, wouldn't confirm which governments were targeted, it did say that some attacks actually led to unauthorized access to election support systems. CISA stopped short of saying the attacks compromised any election data, nor that the attacks were carried out because the systems housed election information. Still, given the activity, it suggests there could be "some risk to elections information housed on government networks."
Some of the attacks CISA has observed have combined the Netlogon vulnerability with a vulnerability in Fortinet’s FortiOS Secure Socket Layer (SSL) VPN (CVE-2018-13379) and a critical vulnerability in MobileIron Core & Connector versions (CVE-2020-15505).
In some ways the post echoes warnings CISA has issued throughout the year so far. It previously stressed the importance of patching VPN bugs involving Juniper (CVE-2020-1631), Pulse Secure (CVE-2019-11510) and Citrix (CVE-2019-19781) and said on Friday that attackers could combine those bugs with the Netlogon vulnerability, too. The F5 BIG-IP vulnerability, CVE-2020-5902, could also prove attractive to attackers looking to bolster a vulnerability chain, CISA warned.
Details around CVE-2020-1472, an elevation of privilege vulnerability, were basically unknown until about a month ago when Secura, a Dutch security firm, published a paper outlining the vulnerability. Proof of concept exploit code for the vulnerability surfaced online not long after, as did a federal mandate, via CISA, for all agencies to patch the vulnerability if they hadn't yet.
Attackers can exploit the vulnerability by establishing a vulnerable Netlogon secure connection to a domain controller.
Despite being patched by Microsoft in August and awareness of the vulnerability spreading in September, the vulnerability has lingered. Microsoft warned recently that cybercriminals were using the vulnerability in a campaign posing as software updates.
Admins looking for more information on the Netlogon vulnerability, like how attackers are using it to abuse credentials and maintain persistence and some of the ways attackers are leveraging it for privilege escalation, should read CISA’s latest warning.