Hackers breaking into election systems using VPN vulnerability and Zerologon bug according to FBI CISA alert

Joint FBI and CISA Alert Warns of Hackers Exploiting VPN Vulnerability and Zerologon Bug To Compromise Election Systems

The FBI and Cybersecurity Infrastructure Security Agency (CISA) warned that Advanced Persistent Threat (APT) actors employed vulnerability chaining to target government computer networks, including those housing election support systems. The vulnerability chaining method involves combining various vulnerabilities to gain access and maximum control of the targeted computer systems. The joint FBI and CISA alert AA20-283A warns that threat actors exploited Fortinet’s VPN vulnerability in gaining initial access and then employed Zerologon vulnerability (CVE-2020-1472) to gain privileged control of the networks.

Joint FBI and CISA alert warns that US election systems were at risk

CISA alert warned that cybercriminals targeted federal, state, local, tribal and territorial (SLTT) government networks using a combination of vulnerabilities existing in the wild. The joint FBI and CISA alert indicated that the hackers did not specifically target those systems because of their proximity to election information.  However, the federal agencies warned that such attacks still posed a substantial risk to election systems housed on government networks. The alert also noted that no election data has been compromised.

Hackers use Fortinet’s VPN vulnerability to gain initial access

The alert warned that the threat actors exploit Fortinet’s FortiOS Secure Socket Layer (SSL) VPN vulnerability (CVE-2018-13379) to gain initial access to federal computer networks. The hackers then leveraged Microsoft’s windows server Zerologon vulnerabilities to escalate privileges and take over the entire networks.

The Zerologon vulnerability allows hackers to compromise a Windows Server domain controller through privilege escalation to gain access to Active Directory identity services without requiring an administrator account. Post-exploitation, the cybercriminals utilize legitimate tools such as Remote Desktop Protocol (RDP) and VPNs to connect to the compromised servers.

CISA alert indicated that the threat actors employed various open-source tools such as Mimikatz and the CrackMapExec to acquire login credentials from internet-facing domain controllers.

Many companies have yet to apply the August 11 Patch Tuesday update released by Microsoft. The tech giant recently warned that threat actors had incorporated the Zerologon vulnerability into their playbooks. Iranian hackers known as MERCURY or MuddyWater were observed exploiting the bug in the wild.

The FBI/CISA alert also warned that a threat actor could exploit any other VPN vulnerability such as Pulse Connect Secure SSL VPN vulnerability (CVE-2019-11510) to compromise the US election systems.

Other vulnerabilities that could potentially threaten the integrity of the US election systems include:

  • Citrix NetScaler vulnerability existing in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances (CVE-2019-19781),
  • Palo Alto Networks’ Security Assertion Markup Language (SAML) authentication bypass vulnerability (CVE-2020-2021)
  • F5 BIG-IP traffic management user interface (TMUI) path traversal vulnerability (CVE-2020-5902)
  • MobileIron’s remote code execution vulnerability (CVE-2020-15505) existing on MobileIron Core & Connector versions 10.3 and earlier.

Mitigating the risks associated with Fortinet’s VPN vulnerability and Zerologon bug

The joint FBI and CISA alert advised organizations to update their systems to secure them against potential infiltration. Organizations should also perform comprehensive account resets to purge invalid credentials created through Zerologon breaches. Monitoring system events to identify potential unauthorized access could also help to protect election systems from unauthorized access. Additionally, blocking public access through vulnerable ports such as the Server Message Block (SMB) Port 445 and Remote Procedure Call (RPC) port 135 could secure vulnerable systems, according to the joint FBI/CISA alert.

The federal agencies also recommended the implementation of multi-factor authentication (MFA) on all VPN connections to block attacks attempting to exploit an existing VPN vulnerability.

Ilia Kolochenko, the Founder & CEO of web security company ImmuniWeb, noted that government and election systems could be compromised from various sources.

“Regrettably, a growing number of state and federal agencies can be easily compromised even without hackers having any technical skills. They have a myriad of unprotected IT and cloud systems exposed to the Internet, with default or weak credentials, or even without passwords. Furthermore, one can easily find a great wealth of stolen credentials belonging to governmental employees on the Dark Web and, in view of a widespread and continuing trend of password reuse, can silently login to some state systems that process or store critical national data.”

FBI and CISA alert warned that #hackers targeted government networks hosting election systems by chaining Fortinet’s VPN vulnerability and Microsoft’s Zerologon bug. #cybersecurity #respectdata Click to Tweet

He added that government networks housing the election systems could also be compromised through third-party IT vendors. He recommended “holistic visibility of IT and digital assets” and “continuous monitoring of [the] external attack surface and well-thought third-party risk management program.”