APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations

APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations

Advanced persistent threat actors (APTs) are exploiting multiple legacy internet-facing vulnerabilities in combination with newer “Zerologon” to target government networks, critical infrastructure, and elections organizations.

The joint security advisory of threat actor activity was issued by Cybersecurity and Infrastructure Security Agency (CISA) with input from the Federal Bureau of Investigation (FBI).

“This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” CISA warned in the advisory.

In addition, government security experts have spotted targets in multiple other sectors, not just SLTT organizations.

CISA has observed attackers exploiting multiple VPN-related vulnerabilities exposed on internet facing devices, such as:

  • Citrix NetScaler (CVE-2019-19781)
  • Pulse Secure (CVE-2019-11510)
  • Palo Alto Networks (CVE-2020-2021)
  • F5 BIG-IP (CVE-2020-5902)
  • FortiGuard FortiOS SSL VPN (CVE-2018-13379)
  • MobileIron (CVE-2020-15505).

Attackers typically first exploit one of these vulnerabilities to gain a foothold on the victim’s network. The actors can then exploit the Windows Netlogon (“Zerologon”) CVE-2020-1472 to compromise all Active Directory (AD) identity services.

“Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials,” CISA added.

Each of the threat vectors are described below as we wrote about in previous articles.

Zerologon (CVE-2020-1472)

Just last month, security experts warned publicly available exploit code was published for a Microsoft Netlogon vulnerability CVE-2020-1472. As a result, actors could exploit to hijack Windows domain controllers.

Soon afterwards, Microsoft spotted active exploits in wild of a Netlogon vulnerability CVE-2020-1472 dubbed Zerologon.

The tech giant further explained that an unauthenticated attacker could exploit the vulnerability by abusing MS-NRPC to connect to a domain controller and then obtain domain administrator access. Microsoft also provided more details on the Netlogon vulnerability a blog post.

Actors have been exploiting Zerologon in combination with vulnerabilities described below.

Citrix NetScaler (CVE-2019-19781)

Earlier this year in January, Citrix has made available a new permanent fix for a critical vulnerability CVE-2019-19781 in affected versions of Citrix SD-WAN WANOP.

The update came nearly five days after Citrix provided firmware updates for the same vulnerability in Application Delivery Controller (ADC) and Citrix Gateway products.

To add, Citrix warned an unathenticated attacker could exploit the vulnerability and execute arbitrary code.

In addition, this Citrix vulnerability was one of four most popular vulnerabilities exploited by Chinese state cyber threat actors over the past 12 months. Two of the others in the top four include Pulse Secure (CVE-2019-11510) and F5 BIG-IP (CVE-2020-5902) as noted below.

Pulse Secure (CVE-2019-11510)

Last August, researchers from Bad Packets detected “mass scanning” of 14,500 Pulse Secure (Pulse Connect Secure) VPN devices vulnerable to CVE-2019-11510.

As a result, an unauthenticated remote attacker could exploit the arbitrary file reading vulnerability to steal sensitive data, such as private keys and user passwords.

To make matters worse, the attackers could then pivot to take advantage of other unpatched vulnerabilities.

In January, 2020, CISA also warned that attackers continued to target unpatched Pulse Secure VPN systems.

To add, they also spotted hackers in April, 2020 using previously stolen credentials from previous attacks to exploit yet again previously patched VPN systems.

Palo Alto Networks (CVE-2020-2021)

In June, 2020, Palo Alto Networks patched a PAN-OS authentication bypass in SAML authentication vulnerability CVE-2020-2021.

The vulnerability affects Palo Alto Networks firewalls PAN-OS configured to run Security Assertion Markup Language (SAML).

F5 BIG-IP (CVE-2020-5902)

In July, 2020, F5 patched a Critical remote code execution (RCE) vulnerability (CVE-2020-5902) in the Configuration utility of BIG-IP.

Researchers further discovered 8,000 devices were vulnerable on the internet and could result in full system compromise.

The RCE vulnerability in undisclosed pages CVE-2020-5902 exists in the Traffic Management User Interface (TMUI), also known as the Configuration utility.

FortiGuard FortiOS SSL VPN (CVE-2018-13379)

Similar to the previously mentioned Pulse Secure VPN issues, hackers have also been targeting unpatched Fortinet’s FortiOS SSL VPNs since last August.

Organizations use popular SSL VPNs like these to allow employee remote access connectivity to the enterprise network and are prime targets for the most recent attacks.

MobileIron (CVE-2020-15505)

In July of this year, security experts found three vulnerabilities in MobileIron, an endpoint and enterprise mobility management solution for mobile devices.

MobileIron patched one of those Critical remote code execution vulnerabilities CVE-2020-15505 in MobileIron Core and Connector versions.

An attacker could exploit this vulnerability remotely without any authentication.

Finally, given the urgency of these threats, CISA urges organizations and administrators to patch systems and devices “promptly and diligently.”

Related Articles