12 October 2020

APT groups are chaining VPN and Windows flaws in attacks against US govt entities


APT groups are chaining VPN and Windows flaws in attacks against US govt entities

Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint warning of attacks on the US state, local, tribal and territorial government networks in which sophisticated hackers are combining VPN and Windows vulnerabilities.

“CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application,” the security alert said.

“Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” the agencies added.

Tactics, techniques, and procedures used by APT groups in observed attacks include leveraging legacy network access and virtual private network (VPN) vulnerabilities along with the recent critical CVE-2020-1472 Netlogon vulnerability. The hackers have also been observed using the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability (CVE-2018-13379) and MobileIron vulnerability (CVE-2020-15505) to gain access to target networks.

“While these exploits have been observed recently, this activity is ongoing and still unfolding,” the two agencies said.

Upon gaining initial access, the malicious actors have been observed utilizing the CVE-2020-1472 vulnerability to compromise Active Directory (AD) identity services and using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.

To prevent such attacks CISA advises administrators to perform network audit for above mentioned and similar vulnerabilities, including Juniper Junos OS (CVE-2020-1631), Pulse Secure (CVE-2019-11510), Citrix NetScaler (CVE-2019-19781), and Palo Alto Networks (CVE-2020-2021).


Back to the list

Latest Posts

Vulnerability summary for the week: March 5, 2021

Vulnerability summary for the week: March 5, 2021

A weekly vulnerability digest.
5 March 2021
Microsoft shares details on three new malware strains used in SolarWinds hack

Microsoft shares details on three new malware strains used in SolarWinds hack

GoldMax, Sibot and GoldFinder were used by attackers to achieve persistence on the infected machines and perform actions post-compromise.
5 March 2021
Four notorious cybercrime forums hacked

Four notorious cybercrime forums hacked

The list of hacked crime forums includes Maza, Verified, Crdclub and Exploit.
5 March 2021