The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Attackers Chaining Together Netlogon, VPN Bugs to Attack Govts

by Chris Brook on Tuesday October 13, 2020

Contact Us
Free Demo
Chat

CISA is warning that attackers are chaining together the recent Netlogon vulnerability, along with VPN vulnerabilities, to hack government networks.

Two months after it was patched by Microsoft, issues involving a troublesome vulnerability in the Windows Netlogon Remote Protocol continue to pop up.

Now attackers are leveraging the critical flaw, dubbed Zerologon, in vulnerability chains with other legacy vulnerabilities, in order to compromise networks.

The Cybersecurity & infrastructure Agency (CISA) warned about the campaign on Friday, saying its observed advanced persistent threat (APT) actors chaining together CVE-2020-1472, the Netlogon vulnerability, with other vulnerabilities to attack government networks. Specifically, attackers have had federal and SLTT governments - a way the Department of Homeland Security classifies state, local, tribal, and territorial governments – in their crosshairs.

While CISA, which wrote the advisory (.PDF) along with the Federal Bureau of Investigation, wouldn't confirm which governments were targeted, it did say that some attacks actually led to unauthorized access to election support systems. CISA stopped short of saying the attacks compromised any election data, nor that the attacks were carried out because the systems housed election information. Still, given the activity, it suggests there could be "some risk to elections information housed on government networks."

Some of the attacks CISA has observed have combined the Netlogon vulnerability with a vulnerability in Fortinet’s FortiOS Secure Socket Layer (SSL) VPN (CVE-2018-13379) and a critical vulnerability in MobileIron Core & Connector versions (CVE-2020-15505).

In some ways the post echoes warnings CISA has issued throughout the year so far. It previously stressed the importance of patching VPN bugs involving Juniper (CVE-2020-1631), Pulse Secure (CVE-2019-11510) and Citrix (CVE-2019-19781) and said on Friday that attackers could combine those bugs with the Netlogon vulnerability, too. The F5 BIG-IP vulnerability, CVE-2020-5902, could also prove attractive to attackers looking to bolster a vulnerability chain, CISA warned.

Details around CVE-2020-1472, an elevation of privilege vulnerability, were basically unknown until about a month ago when Secura, a Dutch security firm, published a paper outlining the vulnerability. Proof of concept exploit code for the vulnerability surfaced online not long after, as did a federal mandate, via CISA, for all agencies to patch the vulnerability if they hadn't yet.

Attackers can exploit the vulnerability by establishing a vulnerable Netlogon secure connection to a domain controller.

Despite being patched by Microsoft in August and awareness of the vulnerability spreading in September, the vulnerability has lingered. Microsoft warned recently that cybercriminals were using the vulnerability in a campaign posing as software updates.

Admins looking for more information on the Netlogon vulnerability, like how attackers are using it to abuse credentials and maintain persistence and some of the ways attackers are leveraging it for privilege escalation, should read CISA’s latest warning.

Tags: Vulnerabilities

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.