CISA in the US are warning that attackers are linking together the recent Netlogon vulnerability, with VPN vulnerabilities, to hack government networks.
2 months after it was patched by Microsoft, issues involving a worrisome vulnerability in the Windows Netlogon Remote Protocol continue to appear.
Attackers are using the critical flaw, called Zerologon, in ‘vulnerability chains’ with other legacy vulnerabilities, to allow the compromise of networks.
Advanced Persistent Threat (APT)
The US Cybersecurity & infrastructure Agency (CISA) warned about the campaign on Fri., saying its observed Advanced Persistent Threat (APT) players linking together CVE-2020-1472, the Netlogon vulnerability, & other vulnerabilities to attack govt. networks.
Specifically, attackers have had Federal & SLTT Govts. (a way the US Dept. of Homeland Security classifies State, Local, Tribal, & Territorial Govts.) in their sights.
CISA, which wrote the advisory (.PDF) together with the FBI, wouldn’t confirm which govts. were targeted but did say that some attacks actually led to unauthorised access to election support systems.
CISA did not say the attacks compromised any election data, nor that the attacks were carried out because the systems housed election information. Given the activity, however, it suggests there could be “some risk to elections information housed on govt. networks.”
Netlogon
Some of the attacks CISA has observed have combined the Netlogon vulnerability with a vulnerability in Fortinet’s FortiOS Secure Socket Layer (SSL) VPN (CVE-2018-13379) & a critical vulnerability in MobileIron Core & Connector versions (CVE-2020-15505).
In some ways this post repeats warnings CISA has issued throughout 2020 so far. Previously, it stressed the importance of patching VPN bugs involving Juniper (CVE-2020-1631), Pulse Secure (CVE-2019-11510) & Citrix (CVE-2019-19781) & commented on Fri. that attackers could combine those bugs with the Netlogon vulnerability, as well.
The F5 BIG-IP vulnerability, CVE-2020-5902, could also prove attractive to attackers looking to enhance a vulnerability chain, CISA has warned.
Secura
Details around CVE-2020-1472, an ‘elevation of privilege’ vulnerability, were basically unknown until about 1 month ago when Secura, a Dutch security firm, published a paper outlining the vulnerability. Proof of concept exploit code for the vulnerability surfaced online shortly after, as did a US Federal mandate, via CISA, for all agencies to patch the vulnerability if they hadn’t yet done so.
Attackers can use the vulnerability by establishing a vulnerable Netlogon secure connection to a domain controller.
Awareness
Despite being patched by Microsoft in Aug., & awareness of the vulnerability spreading in Sept., the vulnerability has lingered-on. Microsoft warned recently that cyber-criminals were using the vulnerability in a campaign posing as software updates.
Admins looking for more information on the Netlogon vulnerability, e.g. how attackers are using it to abuse credentials & maintain persistence, & some of the ways attackers are using it for privilege escalation, should look at the CISA’s latest warning.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2020/
