FBI, CISA Warn APT Hackers Chaining Vulnerabilities in Cyberattacks

APT hackers are targeting government networks, critical infrastructure, and election organizations with chained vulnerability cyberattacks, the FBI and CISA warned in a joint alert.

October 12, 2020 - Advanced persistent threat (APT) hackers are targeting government networks, critical infrastructure, and election organizations by chaining vulnerabilities – a method of exploiting multiple flaws in one single cyberattack, according to a joint alert from the FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency.

CISA has already observed several successful attacks that led to unauthorized access to elections support systems. However, there’s currently no evidence that elections data was compromised in those incidents. 

APT actors have exploited multiple legacy vulnerabilities in combination with the Windows Netlogon vulnerability, CVE-2020-1472, which CISA, CERT Coordination Center, and Microsoft have repeatedly warned organizations to patch after the release of a public exploit in mid-September.

The elevation of privilege flaw occurs when an attacker establishes a secure connection to a domain controller through the Netlogon Remote Protocol (MS-NRPC), an RPC interface exclusively used by domain-connected devices. On September 29, CISA again urged entities to apply the patch to what’s being called “Zerologon,” after hackers successfully exploited the vulnerability.

In the latest attacks, hackers are actively targeting internet-facing infrastructure vulnerabilities, including external remote services, to gain initial access into systems. Specifically, the attackers first gain access through network access vulnerabilities, then leverage Zerologon to escalate privileges in one single intrusion.

The alert warned that initial access in these attacks is predominantly through the Fortinet FortiOS VPN vulnerability CVE-2018-13379, with multiple successful exploits. There have been lesser instances where the hackers gained initial access through the MobileIron vulnerability CVE-2020-15505.

“While these exploits have been observed recently, this activity is ongoing and still unfolding,” CISA researchers stressed. “After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services.”

“Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials,” they continued. ”Observed activity targets multiple sectors and is not limited to state, local, tribal, and territorial entities.”

In response, CISA is again urging the network staff and administrators of across all sectors to review the internet-facing infrastructure for known, similar vulnerabilities able to be exploited in a similar way, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510, Citrix NetScaler CVE-2019-19781, F5 BIG-IP CVE-2020-5902, and Palo Alto Networks CVE-2020-2021. This list is not exhaustive.

Notably, the MobileIron flaw enables an external attacker with no privileges to execute malicious code on the vulnerable system. CISA warned that “as mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.” 

After the APT gains access, the attacker leverages multiple techniques to expand their access on the victim’s environment.

The threat actors were observed using Zerologon to escalate privileges and gain access to the Windows AD servers, as well as leveraging opensource tools like Mimikatz and the CrackMapExec tool, to gain Valid Account credentials from AD servers.

“Once system access has been achieved, the APT actors use abuse of leg