Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint warning of attacks on the US state, local, tribal and territorial government networks in which sophisticated hackers are combining VPN and Windows vulnerabilities.

“CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application,” the security alert said.

“Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” the agencies added.

Tactics, techniques, and procedures used by APT groups in observed attacks include leveraging legacy network access and virtual private network (VPN) vulnerabilities along with the recent critical CVE-2020-1472 Netlogon vulnerability. The hackers have also been observed using the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability (CVE-2018-13379) and MobileIron vulnerability (CVE-2020-15505) to gain access to target networks.

“While these exploits have been observed recently, this activity is ongoing and still unfolding,” the two agencies said.

Upon gaining initial access, the malicious actors have been observed utilizing the CVE-2020-1472 vulnerability to compromise Active Directory (AD) identity services and using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.

To prevent such attacks CISA advises administrators to perform network audit for above mentioned and similar vulnerabilities, including Juniper Junos OS (CVE-2020-1631), Pulse Secure (CVE-2019-11510), Citrix NetScaler (CVE-2019-19781), and Palo Alto Networks (CVE-2020-2021).