The U.S. Cybersecurity and Infrastructure Security Agency, along with the FBI, have released a joint advisory warning that threat actors are actively exploiting vulnerabilities as they target government networks.
The joint advisory, released last Friday, says these recent attacks are directed at federal, state, local, tribal and territorial government networks, and there is some risk to election information housed on government networks.
According to the advisory, the threat actors are exploiting multiple legacy vulnerabilities in combination with the newer CE-2020-1472, a vulnerability in Microsoft’s Netlogon. This tactic of exploiting multiple vulnerabilities in a single intrusion is called vulnerability chaining.
These attacks have, in some instances, resulted in the unauthorized access to elections support systems, but CISA says there isn’t any evidence that the integrity of elections data has been compromised.
Some common tactics, techniques, and procedures (TTPs) used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical CVE-2020-1472 Netlogon vulnerability.
CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding.
After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities.
CISA recommends that network staff and administrators review internet-facing infrastructure for those vulnerabilities and several others, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510, Citrix NetScaler CVE-2019-19781, and Palo Alto Networks CVE-2020-2021.
To protect against these vulnerabilities, administrators should establish and maintain a thorough patching cycle, CISA says.