Hackers Chain VPN and Microsoft Vulnerabilities to Access US Government Networks

How often do you see a popup about a software update and ignore it, thinking “I’ll get to it later”? Several United States Government organisations wish they hadn’t taken that exact same approach.

A group of hackers linked together bugs in commonly used VPN and Windows products to gain access to a range of US federal, state, local, tribal, and territorial (SLTT) government networks, and some non-government networks. Included in that list are some of the biggest US actors in security – namely the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

This attack tactic is known as vulnerability chaining, whereby multiple bugs are combined together to compromise a network or application.

Causing maximum damage by vulnerability chaining 

The hackers took advantage of a flaw in one piece of software to allow them to access the flaw of another piece of software, to create a chain of vulnerabilities which eventually let them create maximum havoc. The damage caused by vulnerability chaining is definitely more than the sum of the individual vulnerabilities on their own.

In this case, the hackers gained access by combining a vulnerability in the Fortinet FortiOS Secure Socket Layer (SSL) VPN (bug number CVE-2018-13379), and the Zerologon vulnerability in Windows 10’s Netlogon protocol (bug number CVE-2020-1472).

Fortinet FortiOS Secure Socket Layer (SSL) VPN is an on-premise VPN server which gives secure access to enterprise networks from remote locations. Vulnerability CVE-2018-13379 was discovered in 2018, and allows attackers to upload malicious files to take over Fortinet VPN servers. Step one of vulnerability is now complete, the hackers have their initial access to their target networks.

Once the attackers had gained the initial access, they were then able to use Zerologon to take over their targets’ internal networks.

How Zerologon works

Zerologon is the name given to bug CVE-2020-1472 in Microsoft’s Netlogon software. It was one of the most severe bugs ever reported to the company, and a patch was released to close this vulnerability in August 2020. 

Zerologon exploits a weak cryptographic algorithm in the Netlogon authentication process. Attackers can use it to manipulate the Netlogon authentication procedures and impersonate the identity of any computer on the domain controller, disable features in the Netlogon authentication process, and change passwords. The attack takes three seconds at most to carry out.

The name Zerologon comes from the way that attacks are carried out by adding zero characters in Netlogon authentication parameters.

One of the few limitations on Zerologon was that it couldn’t take over Windows Servers from outside the network. The attackers needed a foothold into the network, and that is what they got from the Fortinet vulnerability. Once the two were combined, the attackers were able to enter their target’s network, and do anything they wanted from inside the Windows domain.

It’s worth noting here, that the joint statement from CISA and the FBI highlighted several other vulnerabilities in other commonly used software that could be used in similar vulnerability chaining attacks. These vulnerabilities include Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510, Citrix NetScaler CVE-2019-19781, and Palo Alto Networks CVE-2020-2021.

Why did this attack take place now?

The joint statement from CISA and the FBI states that it doesn’t appear that these targets were selected because they have access to US 2020 election information, and that to date there is no evidence that election data has been compromised. 

However the CISA and FBI joint statement also didn’t name the hackers. Instead they called them “advanced persistent threat (APT) actors”. This terminology is usually used to suggest the actions of state sponsored hackers.

Either way, this attack could not have come at a worse time.

Vulnerability chaining from legitimate remote access tools

Hackers have been observed in the past using legitimate remote access tools such as Remote Desktop Protocol (RDP), and VPN to access their targets with compromised credentials.

Microsoft have also observed Zerologon attacks by Iran-linked APT Mercury, and the Russian cybercrime gang TA505. No official connection has been made between these groups and this latest attack.

Reducing the risk of vulnerability chaining attacks

On their own, the two vulnerabilities may not have seemed like something to panic over. Afterall, the FortiNet vulnerability had been around for a while, and Zerologon couldn’t affect a network from the inside. But that is the first lesson to come from this incident. Don’t ignore security updates when they are released, no matter how small the vulnerability may appear.

Patches are available for both of the particular products in this incident, and had those patches been implemented immediately, they may have saved at least some of these organisations from attack.

In addition, vulnerability chaining makes it crucial that you always take a holistic view of your network security. While every component of your network needs to be secure in and of itself, it is also beneficial to understand how one weakness can be used to exploit another weakness and take steps to manage those interplays and improve your security posture.

Stay safe