CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw

A joint advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warning about sophisticated advanced persistent threat actors chaining exploits for multiple vulnerabilities in cyberattacks against federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and election support systems. While there have been successful attacks on the latter, no evidence has been found to suggest any election data have been compromised to date.

Several legacy vulnerabilities are being targeted along with more recently discovered vulnerabilities, such as the Windows Server Netlogon remote protocol vulnerability – CVE-2020-1472 – also known as Zerologon. A patch for the flaw was issued by Microsoft on August 2020 Patch Tuesday but patching has been slow.

Chaining vulnerabilities in a single cyberattack is nothing new. It is a common tactic used by sophisticated threat groups to compromise networks and applications, elevate privileges, and achieve persistent access to victims’ networks

The advisory did not specify which APT groups are conducting the attacks, although Microsoft recently issued an alert about the Mercury APT group – which has links to Iran – exploiting the Zerologon flaw to gain access to government networks. Those attacks have been ongoing for at least two weeks.

CISA and the FBI explained in the advisory that attacks start with the exploitation of legacy vulnerabilities in VPNs and network access devices. In several attacks, initial access to networks was gained by exploiting the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability – CVE-2018-13379 and, to a lesser extent, the MobileIron vulnerability – CVE-2020-15505. The latter vulnerability is also being exploited by ransomware gangs following the publication of a PoC exploit for the flaw.

While the latest campaigns have been conducted exploiting the above vulnerabilities, CISA/FBI warn that other legacy vulnerabilities in Internet facing infrastructure could similarly be exploited in attacks such as:

  • Citrix Gateway/Citrix SD WAN WANOP vulnerability – CVE-2019-19781
  • Pulse Secure vulnerability – CVE-2019-11510
  • F5 BIG-IP vulnerability – CVE-2020-5902
  • Palo Alto Networks vulnerability – CVE-2020-2021
  • Citrix NetScaler vulnerability – CVE2019-19751
  • Juniper vulnerability – CVE-2020-1631

Once a flaw has been exploited to gain access to the target’s network, the attackers then exploit more recently discovered vulnerabilities such as the Zerologon flaw, which allows them to elevate privileges to administrator, steal usernames and passwords, and access Windows Active Directory servers and establish persistent access to networks. Legitimate tools such as MimiKatz and CrackMapExec are often used in the attacks.

Due to the high potential for exploitation of the Zerologon flaw, Microsoft issued multiple alerts urging organizations to apply the patch as soon as possible, as have CISA and the CERT Coordination Center.

CISA and the FBI have suggested several mitigations to block these attacks, the most important of which is patching the above vulnerabilities. Patching vulnerabilities in software and equipment promptly and diligently is the best defense against APT groups.

Other important steps to take are concerned with more traditional network hygiene and user management such as:

  • Implement multi-factor authentication on all VPN connections, ideally using physical security tokens which are the most secure method of MFA, or alternatively using authenticator app-based MFA.
  • Strong passwords should be set for all users and vendors who need to connect via VPNs.
  • Discontinue unused VPN servers.
  • Conduct audits of configuration and patch management programs.
  • Monitor network traffic for unexpected or unapproved protocols, especially outbound traffic to the Internet.
  • Use separate admin accounts on separate administration workstations.
  • Update all software to the latest versions and configure updates to be applied automatically where possible.
  • Block public access to vulnerable unused ports such as port 445 and 135.
  • Secure Netlogon channel connections by updating all domain controllers and read-only domain controllers.

CISA and the FBI suggest any organization with Internet facing infrastructure should adopt an “assume Breach” mentality.

“If there is an observation of CVE-2020-1472 or Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed,” explained CISA/FBI in the alert.

Since fully resetting an AD forest is difficult and complex, organizations should consider seeking assistance from third-party cybersecurity firms with experience of successfully completing the task.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.