AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
Original release date: October 9, 2020
Note: the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Information Security Agency (CISA) will update this advisory as new information is available. This joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI).
CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.
This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.
CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.
After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities.
No one has figured out how to run code with this bug yet – but if they do, you can bet that someone will turn it into a computer worm.
The crooks haven’t yet been caught and arrested, but their malware distribution network has been hit hard.
Microsoft Linux is the next evolution of the Microsoft desktop operating system, argues Jack Wallen. He explains why this would be a win-win for Microsoft, IT pros, users, and the Linux community.