Attackers Chaining Zerologon with VPN Exploits
The US government has warned of newly discovered APT attacks combining exploits of VPN products with those for the recently disclosed Zerologon bug.
The joint alert from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) revealed that government and non-government targets are being attacked in this campaign.
It warned that access to federal and state, local, tribal and territorial (SLTT) government networks could put election information at risk, although there’s no evidence that this data has been compromised, or that its theft was the ultimate goal of the attackers.
“CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding,” the warning noted.
“After gaining initial access, the actors exploit CVE-2020-1472 [Zerologon] to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities.”
CISA warned that exploits of similar bugs in products from Juniper (CVE-2020-1631), Pulse Secure (CVE-2019-11510), Citrix NetScaler (CVE-2019-19781) and Palo Alto Networks (CVE-2020-2021) could be chained with Zerologon to achieve the same result.
Fixed by Microsoft back in August, Zerologon was deemed so critical that CISA issued an emergency directive in September demanding all civilian government agencies patch the bug.
A few days later attacks exploiting the critical elevation of privilege flaw were detected in the wild.
CISA has a list of patching and mitigation best practices here.