Hackers Combine Zerologon And VPN Exploits To Infiltrate U.S. Election Systems

There is a hacking campaign to disrupt this year's presidential election in the United States, according to a warning issued by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). Hackers are chaining Windows and virtual private network (VPN) exploits to carry out their attacks.

"CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application," the warning reads.

CVE-2020-1472 is also known as Zerologon, which targets a Windows Server process that authenticates users and services within a domain.

For the most part, CISA and the FBI have observed malicious activity being directed at federal and state, local, tribal, and territorial (SLTT) government networks, though there have been some outside targets as well.

"Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks," CISA says.

The warning points to several known vulnerabilities, noting that there have been multiple instances of attacks targeting a Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability (CVE-2018-13379), along with the aforementioned exploit, as well as to a lesser extent, a MobileIron vulnerability (CVE-2020-15505). These attacks are ongoing, the warning states.

"After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities," CISA states.

The joint warning contains technical details on the attack vectors. It also says organizations should proceed with an "assumed breach" mentality, and apply a list of patches "promptly and diligently."

"Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs," the warning says.

While concerning, this is not surprising. It is also just one piece of a bigger election disruption puzzle. Back in September, the FBI and CISA warned that foreign actors and cybercriminals are likely to spread disinformation (PDF) regarding 2020 election results, by creating new websites, changing existing websites, and creating or sharing social media content to spread false information intended to discredit the electoral process.