US Warns: Hackers Chaining Zerologon, Other Vulnerabilities

Application Security , Critical Infrastructure Security , Fraud Management & Cybercrime

CISA Says APTs Gained Access to State and Local Election Support Systems

US Warns: Hackers Chaining Zerologon, Other Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency is warning that sophisticated hacking groups are chaining vulnerabilities together, such as the recent Zerologon bug along with other flaws, to target state, local, tribal and territorial government networks.

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

In some cases, the attackers gained access to what CISA calls “election support systems” within government networks, but the security agency stressed that no election data has been compromised, according to the warning issued Friday.

In the hacking activity that CISA has observed, the agency warns that these advanced persistent threat groups are attempting to exploit multiple legacy vulnerabilities as well as newer privilege escalation flaws, such as the Zerologon bug recently uncovered in Windows Server.

“The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application,” according to CISA, which issued its warning with input from the FBI. “Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.”

While the CISA alert did not offer specific details about the APTs using these multiple vulnerabilities to target government networks, Microsoft’s security team warned this week that it has detected an Iranian-backed hacking group called Mercury trying to exploit the Zerologon flaw over the last two weeks (see: Iranian Hackers Exploiting ‘Zerologon’ Flaw).

Since August, Microsoft has warned its users to apply a partial patch that the company issued for the Zerologon vulnerability. In September, CISA began issuing warnings about the flaw, noting that threat actors were looking to take advantage of unpatched systems (see: Warning: Attackers Exploiting Windows Server Vulnerability).

With less than a month to go before the November elections, CISA, the FBI and other U.S. agencies have been issuing a string of warnings about election security and attempts by hacking groups, both foreign and domestic, that are trying to interfere or spread disinformation (see: FBI, CISA Warn of DDoS Attacks Targeting November Election).

Exploiting Vulnerabilities

The CISA alert notes that several of these hacking groups have recently begun to exploit legacy vulnerabilities in network access devices and VPNs as part of an initial attack. The APT groups then look to exploit newer flaws, such as Zerologon, to gain administrative privileges, capture additional passwords and user names, move laterally through the network and maintain persistence, according to Friday’s alert.

Many of the legacy vulnerabilities these hacking groups are exploiting have been knowns for months and sometimes years, and vendors and security researchers have urged users to apply patches or fixes. According to CISA, some of the commonly exploited chaining vulnerabilities are:

  • CVE-2018-13379, which is an improper pathname vulnerability found in multiple versions of the Fortinet FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download system files via special crafted HTTP resource requests.
  • CVE-2019-19781, which is an arbitrary code vulnerability found in Citrix Gateway and Citrix SD-WAN WANOP appliances. In December 2019, researchers at security firm Positive Technologies released a report that found this bug could affect some 80,000 companies in 158 countries.
  • CVE-2020-15505, which is a remote code execution vulnerability in MobileIron Core and Connector administrative portals that could enable attackers to execute arbitrary code through unspecified vectors.
  • CVE-2019-11510, which is a file-reading vulnerability found in unpatched Pulse Secure Connect enterprise VPN servers.
  • CVE-2020-2021, which is an authentication vulnerability in Palo Alto Networks’ PAN-OS that could allow unauthenticated network-based attackers to access protected resources.
  • CVE-2020-5902, which is a remote code execution vulnerability in F5’s BIG-IP network products. In July, CISA published an alert warning that threat actors were exploiting this vulnerability to exfiltrate data, access networks, carry out commands, create or delete files and disable services.

In the alert, CISA notes that it has detected multiple attacks looking to exploit the vulnerability in the Fortinet FortiOS VPN specifically. To a lesser extent, these hacking groups have also attempted to take advantage of the flaws in the MobileIron products as well.

“While these exploits have been observed recently, this activity is ongoing and still unfolding,” according to CISA.

Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, noted recently on Twitter that MobileIron vulnerability is being exploited by ransomware gangs as well.

Escalating Privileges

Once these hacking groups have exploited the older vulnerabilities, they turn to taking advantage of other unpatched systems and devices to escalate their administrative privileges within compromised networks, including trying to access Windows Active Directory (see: Why Hackers Abuse Active Directory).

Most recently, these hacking groups are attempting to exploit the Zerologon flaw in Windows Server. This vulnerability affects Windows Server’s Netlogon Remote Protocol, or MS-NRPC – an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft’s initial alert about the bug.

The Zerologon vulnerability, which is tracked as CVE-2020-1472, has been given a CVSS score of 10 – the most critical, and Microsoft has urged its user to apply a partial patch with a full fix not expected until 2021.

“Post initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,” according to CISA.

The CISA alert also notes that the hacking groups are using open source tools, such as Mimikatz and CrackMapExec, to obtain valid Active Directory credentials. Once these networks have been compromised, the APTs can maintain persistence within the networks using these credentials.


In addition to patching for these vulnerabilities, the CISA alert recommends a few additional steps that organizations can adopt to prevent potential attacks, including:

  • Implementing multi-factor authentication on all VPN connections to increase security. CISA suggests that physical security tokens are the most secure for this followed by app-based authentication.
  • CISA also notes that by discontinuing unused VPN servers, organizations can reduce the attack surface, as hackers are known to exploit unused VPN servers as a point of entry.
  • Auditing configuration and patch management programs as well as monitoring and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections.
  • Blocking public access to potentially vulnerable ports, such as port 445, which is used for the Server Message Block network protocol, and port 135, which is used for a remote procedure call connection.
  • Updating all Domain Controllers and Read-Only Domain Controllers.

Managing Editor Scott Ferguson contributed to this report.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips