adimas - Fotolia

Hackers exploit Netlogon flaw to attack government networks

CISA issued an alert stating those government networks that were targeted by the APT were close to election systems and the activity may pose some risk to those systems.

Advanced persistent threat actors are exploiting well-known legacy vulnerabilities against U.S. government networks, which could pose a risk to election systems.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) Friday issued an advisory stating they recently observed APT actors chaining multiple legacy vulnerabilities, in combination with a newer privilege escalation vulnerability in Windows Netlogon, dubbed "Zerologon." According to the alert, vulnerability chaining is a commonly used tactic that exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. In this case, the malicious activity was often directed at federal and state, local, tribal and territorial (SLTT) government networks.

"Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks," the advisory said. "CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity."

Patches were already released for two of the flaws used in this attack: Netlogon and a Fortinet VPN vulnerability, which highlights the importance of patch management. Tenable research engineer Satnam Narang said threat actors do not need to spend capital to develop or pay for zero-day vulnerabilities when unpatched vulnerabilities continue to persist.

In addition, he said mitigating one or two of these flaws would thwart attacks targeting those specific pieces of software.

"In the case of CVE-2020-1472, also known as Zerologon, it is becoming increasingly important for organizations to ensure they've patched this flaw in particular. CISA issued Emergency Directive 20-04 on Sept. 18 to ensure Federal Civilian Executive Branch systems had applied the patch for this flaw in an urgent fashion," Narang said. "Understanding the risks to your environment and being able to prioritize patching the right flaws is critically important for an organization's security posture."

Not only was a patch released for Netlogon, it's also not the first time the critical flaw, dubbed CVE-2020-1472 and rated the maximum CVSS severity of 10, has been exploited in the wild. It is rated critical because exploitation allows hackers to essentially become a domain administrator and gain access to enterprise networks. While it was disclosed and patched by Microsoft in August, the tech giant detected active use last month, stating it "observed attacks where public exploits have been incorporated into attacker playbooks."

In the advisory Friday, CISA also included additional vulnerabilities in products that could be used in similar chained attacks like the threat activity in this campaign, including Citrix NetScaler, MobileIron, F5 Big Ip and more. Many of those vulnerabilities listed have been disclosed and patched, but it is not uncommon for organizations to fail to patch or update vulnerable software.

Narang said the reality is there are hundreds to thousands of vulnerabilities in organizations' networks every day.

"Without effective prioritization, many security teams are left to a guessing game of which flaws should be remediated immediately. It's a matter of discerning signal from noise and that can be incredibly difficult in today's dynamic environments."

Next Steps

Atlassian Confluence flaw under active attack

Dig Deeper on Security operations and management

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing