CISA/FBI Alert on APT Groups Chaining Legacy Vulnerabilities with Netlogon Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint alert about advanced persistent hackers stringing exploits for a number of vulnerabilities in cyberattacks directed at federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and election support networks. While there were successful attacks on the latter, there is no evidence found that suggests the compromise of any election data to date.

Threat actors are targeting a number of legacy vulnerabilities as well as recently identified vulnerabilities, for example, CVE-2020-1472, a Windows Server Netlogon remote protocol vulnerability also referred to as Zerologon. Microsoft issued a patch for the vulnerability on August 2020 Patch Tuesday but users are slow in patching.

Sequencing vulnerabilities in a solo cyberattack isn’t new. It is a prevalent tactic utilized by sophisticated attackers to breach systems and programs, elevate privileges, and get persistent access to the networks of the victims.

The alert did not identify which APT groups are performing the attacks, though Microsoft lately released a notification regarding the Mercury APT group – which has connections with Iran – exploiting the Zerologon vulnerability to obtain access to government systems. Those attacks have been recurring for about two weeks.

CISA and the FBI mentioned in the alert that attacks begin with the exploitation of legacy vulnerabilities found in VPNs and network access devices. In a number of attacks, first access to networks was acquired through the exploitation of vulnerability CVE-2018-13379 of the Fortinet FortiOS Secure Socket Layer (SSL) VPN and even the MobileIron vulnerability CVE-2020-15505. Ransomware gangs are also taking advantage of the second vulnerability right after the notice of a PoC exploit for the vulnerability.

Though the most recent campaigns were done exploiting the previously mentioned vulnerabilities, CISA/FBI tell that thre are other legacy vulnerabilities in Internet-facing infrastructure that can likewise be used in attacks for instance:

  • CVE-2019-19781 – Citrix Gateway/Citrix SD WAN WANOP vulnerability
  • CVE2019-19751 – Citrix NetScaler vulnerability
  • CVE-2019-11510 – Pulse Secure vulnerability
  • CVE-2020-1631 – Juniper vulnerability
  • CVE-2020-5902 – F5 BIG-IP vulnerability
  • CVE-2020-2021 – Palo Alto Networks vulnerability

When attackers exploit a vulnerability and get access to the targeted network, they can exploit other recently found vulnerabilities like the Zerologon vulnerability, which enables them to elevate privileges to administrator, acquire usernames and passwords, and obtain access to Windows Active Directory servers and set up persistent access to systems. Reputable solutions like MimiKatz and CrackMapExec are frequently employed in the attacks.

Because of the high possibilities for exploitation of Zerologon, Microsoft gave several notifications telling companies to use the patch immediately, just as CISA and the CERT Coordination Center

CISA and the FBI have recommended several mitigations to prevent these attacks, the most critical of which is patching the earlier mentioned vulnerabilities. Patching vulnerabilities in software programs and equipment promptly and diligently is the best protection against APT groups.

Other essential steps to consider are focused on more conventional network care and user management for example:

  • Use multi-factor authentication on all VPN connections, preferably making use of physical security tokens which are the most dependable strategy of MFA, or alternatively utilizing authenticator app-based MFA.
  • Set strong passwords for all end-users and vendors who have to link up through VPNs.
  • Discard unused VPN servers.
  • Perform reviews of configuration and apply patches to management programs.
  • Keep an eye on network traffic for sudden or unauthorized protocols, particularly outbound traffic to the web.
  • Employ separate admin accounts on individual administration workstations.
  • Update all applications to the most recent versions and set updates to be applied on auto-pilot where possible.
  • Obstruct public access to insecure unused ports like port 445 and 135.
    Safeguard Netlogon channel connections by making sure that all domain controllers and read-only domain controllers are updated.

CISA and the FBI recommend that any organization using Internet-facing infrastructure ought to follow an “assume breach” mindset.

In case of detection of CVE-2020-1472 or Netlogon activity or other signs of valid credential abuse, it must be supposed that the threat actors have compromised AD administrative accounts. The AD forest must not be completely trusted, and, consequently, a new forest ought to be deployed.

Since totally resetting an AD forest is hard and complex, organizations must consider getting help from third-party cybersecurity companies with expertise in successfully finishing the task.

About Christine Garcia 1288 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at