Representatives of the FBI and the United States Department of Homeland Security (DHS CISA) Cybersecurity and Infrastructure Protection Agency posted a warning, according to which hackers gain access to government networks by combining the Zerologon vulnerability (CVE-2020-1472) with various bugs in VPN products. Attacks on government and nongovernmental networks have already been reported.
“CISA is aware of a number of cases where such activities have led to unauthorized access to electoral support systems. However, to date, CISA has no proof that the integrity of this data has been compromised, ”reads the warning.
The first issue (CVE-2018-13379) was discovered with the Fortinet FortiOS Secure Socket Layer (SSL) VPN, a local VPN that is typically used as a secure gateway to access corporate networks from remote locations. The second issue (CVE-2018-13379) allows attackers to download malicious files to unprotected systems and take over Fortinet VPN servers.
As for the Zerologon vulnerability, let me remind you that it relies on a weak cryptographic algorithm used in the Netlogon authentication process. The problem was named Zerologon, since the attack is carried out by adding zeros to certain Netlogon authentication parameters. As a result, the bug allows an attacker to manipulate authentication, namely:
- impersonate any computer on the network during authentication with a domain controller;
- disable security mechanisms during Netlogon authentication;
- change the computer password in the Active Directory domain controller.
The CISA and the FBI explain that hackers combine these vulnerabilities, starting by taking over Fortinet servers and then moving on to taking over the internal network with Zerologon.
Experts also warned that in addition to bugs in Fortinet products, hackers can exploit any other vulnerabilities in VPN solutions and gateways, because quite a few such bugs have been discovered recently. It is enough to remember the following problems:
- Enterprise VPN Pulse Secure Connect (CVE-2019-11510)
- VPN Global Protect by Palo Alto Networks (CVE-2019-1579)
- Citrix ADC Servers and Citrix Network Gateways (CVE-2019-19781)
- servers for managing mobile devices MobileIron (CVE-2020-15505);
- F5 BIG-IP load balancers (CVE-2020-5902)