Getty Images/iStockphoto

FBI, CISA Warn APT Hackers Chaining Vulnerabilities in Cyberattacks

APT hackers are targeting government networks, critical infrastructure, and election organizations with chained vulnerability cyberattacks, the FBI and CISA warned in a joint alert.

Advanced persistent threat (APT) hackers are targeting government networks, critical infrastructure, and election organizations by chaining vulnerabilities – a method of exploiting multiple flaws in one single cyberattack, according to a joint alert from the FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. 

CISA has already observed several successful attacks that led to unauthorized access to elections support systems. However, there’s currently no evidence that elections data was compromised in those incidents. 

APT actors have exploited multiple legacy vulnerabilities in combination with the Windows Netlogon vulnerability, CVE-2020-1472, which CISA, CERT Coordination Center, and Microsoft have repeatedly warned organizations to patch after the release of a public exploit in mid-September

The elevation of privilege flaw occurs when an attacker establishes a secure connection to a domain controller through the Netlogon Remote Protocol (MS-NRPC), an RPC interface exclusively used by domain-connected devices. On September 29, CISA again urged entities to apply the patch to what’s being called “Zerologon,” after hackers successfully exploited the vulnerability. 

In the latest attacks, hackers are actively targeting internet-facing infrastructure vulnerabilities, including external remote services, to gain initial access into systems. Specifically, the attackers first gain access through network access vulnerabilities, then leverage Zerologon to escalate privileges in one single intrusion. 

The alert warned that initial access in these attacks is predominantly through the Fortinet FortiOS VPN vulnerability CVE-2018-13379, with multiple successful exploits. There have been lesser instances where the hackers gained initial access through the MobileIron vulnerability CVE-2020-15505. 

“While these exploits have been observed recently, this activity is ongoing and still unfolding,” CISA researchers stressed. “After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services.” 

“Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials,” they continued. "Observed activity targets multiple sectors and is not limited to state, local, tribal, and territorial entities.” 

In response, CISA is again urging the network staff and administrators of across all sectors to review the internet-facing infrastructure for known, similar vulnerabilities able to be exploited in a similar way, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510, Citrix NetScaler CVE-2019-19781, F5 BIG-IP CVE-2020-5902, and Palo Alto Networks CVE-2020-2021. This list is not exhaustive. 

Notably, the MobileIron flaw enables an external attacker with no privileges to execute malicious code on the vulnerable system. CISA warned that “as mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.” 

After the APT gains access, the attacker leverages multiple techniques to expand their access on the victim’s environment. 

The threat actors were observed using Zerologon to escalate privileges and gain access to the Windows AD servers, as well as leveraging opensource tools like Mimikatz and the CrackMapExec tool, to gain Valid Account credentials from AD servers. 

“Once system access has been achieved, the APT actors use abuse of legitimate credentials to log in via VPN or Remote Access Services to maintain persistence,” according to the alert. “As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.” 

The alert stressed that organizations with externally facing infrastructure devices, such as the healthcare sector, and with the vulnerabilities listed above, “should move forward with an assume breach mentality.” 

Organizations must ensure their systems are kept up to date, promptly and routinely applying provided patches to systems and consistently maintaining a patch management cycle across the enterprise. The alert stressed that this is the best defense against these threats. 

If a Zerologon exploit or credential abuse is observed, the security leader should assume threat actors have indeed compromised AD administrative accounts and thus, the AD forest should not be fully trusted. A new forest will then need to be deployed. 

The alert explained that existing hosts from the compromised forest can’t be migrated in without first being rebuilt and rejoined to the new domain. Instead, administrators must migrate using “‘creative destruction,’ wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise, as well as Azure hosted AD instances.” 

Those tasked with the difficult and complex process who lack experience should only attempt the migration with assistance of those who have previously, and successfully, completed the task. 

It will also be critical to implement a full password reset on all user and computer accounts in the AD forest. 

Further, organizations will also need to secure all VPN vulnerabilities by updating VPNs, network infrastructure devices, and other devices used to remotely connect to the enterprise network with the latest software patches and security configurations. 

As repeated in nearly every vulnerability disclosure, multi-factor authentication should be applied to all VPN connections to bolster security. 

“Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA,” CISA recommended. “SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords.” 

“Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers,” they added. 

To further bolster enterprise VPN connections, organizations must audit configuration and patch management programs, monitor network traffic for unusual activity, and use separate administrative accounts for each administration workstation. 

The alert also reminded organizations to secure the Netlogon channel connections by updating all Domain Controllers and Read Only Domain Controllers, as well as monitoring for new events and addressing non-compliant devices using vulnerable Netlogon secure channel connections. 

Administrators must block public access to potentially vulnerable ports and enable enforcement mode. Malicious activity can be uncovered through collected relevant artifacts, logs, and data. Organizations should also implement mitigation steps to avoid alerting attackers that their presence has been detected. 

“Consider soliciting incident response support from a third-party IT security organization to provide subject matter expertise and technical support to the incident response, ensure that the actor is eradicated from the network, and avoid residual issues that could result in follow-up compromises once the incident is closed,” according to the alert. 

As cyberattacks continue to increase in frequency and sophistication – including double extortion attempts and evasive attacks, healthcare organizations must apply these recommendations to prevent falling victim. Healthcare was the most targeted with ransomware during the third quarter of 2020.

Next Steps

Dig Deeper on Cybersecurity strategies