Posted on October 12, 2020 at 1:11 PM
With the US elections just about to start, the security of the election support systems is more important than ever. The country has done all in its power to make sure that there are no ways for anyone to breach the system’s security and try to manipulate the elections.
However, after everything that was done to protect the system, it appears that hackers have still managed to find a way to access government networks.
Election data was not compromised
The agencies published a report on Friday, noting that there were multiple attacks against federal, state, local, tribal, and territorial (SLTT) government networks. Hackers also did not stop there, as they also targeted some non-government networks.
The security alert that the agencies have published states that the investigators are aware of the activity, as well as the fact that the attacks were successful at accessing elections support systems. However, according to CISA, there is no evidence that the data has been compromised.
Officials noted that it does not appear that these targets were selected due to their proximity to elections information. Even so, elections data stored on government networks might be at some risk.
What flaws did hackers use?
The alert notes that hackers used a combination of two flaws — a VPN flaw known as CVE-2018-13379, and a Windows flaw known as CVE-2020-1472.
The first one is a flaw in the Fortinet FortiOS SSL VPN, which is an on-premise VPN server. The server is used to act as a secure gateway, which allows access to enterprise networks remotely.
This flaw’s existence was revealed in 2019, and it allows hackers to upload malware on unprotected systems. In doing so, it is possible for them to hijack Fortinet VPN servers.
The Windows flaw, CVE-2020-1472, is also known under a different name — Zerologon. Basically, this is a Netlogon vulnerability. Netlogon is a protocol that Windows workstations use for authentication against Windows Servers running as domain controllers.
By using this flaw, hackers might take over domain controllers, which are servers that are used for managing the entire internal or enterprise networks. Such servers usually also store passwords for every workstation connected to them.
By combining the two flaws, hackers can hijack Fortinet servers, and then use Zerologon to take control of internal networks. They were confirmed to use legitimate remote access tools, such as RDP and VPN, and use compromised credentials for accessing the environment.
The agencies also described the attackers as APT (Advanced Persistent Threat) actors, but no other details apart from that were shared in the alert. One thing to note is that this term is often used for state-sponsored groups, such as Iranian MuddyWatter (APT Mercury). This particular group was recently observed using Zerologon, and it was known for targeting US government networks in the past.
What is next?
Considering these new discoveries, the FBI and CISA recommend that private and public sectors alike need to update their systems. Updates would patch the bugs, and ensure the systems against such attacks.
The patches are not new — they have been around for months, so they should be easy to find and implement. On top of that, the agencies also noted that hackers might try to use some other VPN and gateway product vulnerabilities that were revealed and publicly disclosed in recent months.
Some examples include vulnerabilities like CVE-2019-11510, CVE-2019-1579, CVE-2019-19781, CVE-2020-15505, and CVE-2020-5902.