Shulou(Shulou.com)05/31 Report--

How to analyze how APT organizations use VPN and Windows Zerologon loopholes to attack the US government network? I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The US government network was attacked.

The U.S. Bureau of Cyber Security and Infrastructure Security (CISA) and the Federal Bureau of investigation (FBI) issued a joint cyber security bulletin (Alert AA20-283A) on October 9th, warning that APT organizations used a combination of VPN and Windows Zerologon (CVE-2020-1472) vulnerabilities to attack US government networks and thus unauthorized access to election support systems.

According to the security announcement, the attack targeted federal and state, local, tribal and regional (SLTT) government networks in the United States. Although it appears that the attacks did not choose these targets because of their proximity to election information, the US CISA warned that election information stored on government networks could be risky.

CISA has been informed of examples of attacks with unauthorized access to the electoral support system, but there is no evidence that the integrity of the electoral data has been compromised.

In several cases, CISA has observed attackers gain network access by exploiting CVE-2018-13379 vulnerabilities in Fortinet FortiOS Secure Socket Layer (SSL) VPN or CVE-2020-15505 vulnerabilities in MobileIron products to gain access to servers exposed to the Internet.

After gaining initial access, the attacker takes advantage of the CVE-2020-1472 (Zerologon) vulnerability in the Windows Netlogon authentication protocol to elevate privileges to the domain administrator, thereby controlling the entire domain and changing the user password. The attacker then uses the affected credentials to access the environment with legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP).

CISA did not disclose details of the APT group, but said it had observed attacks not only on SLTT entities, but also on multiple industry sectors.

Exploited loopholes

According to messages released by CISA, attackers mainly combined to exploit CVE-2018-13379 and Windows Zerologon CVE-2020-1472 vulnerabilities in Fortinet FortiOS Secure Socket Layer (SSL) VPN in this attack.

CVE-2018-13379 has a CVSS 3.x base score of 9.8, which is an extremely dangerous vulnerability. The vulnerability, which is of the type of path traversal, exists in FortiOS SSL VPN web portals and affects Fortinet FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 with SSL VPN services enabled. An unauthenticated attacker can use a specially constructed HTTP resource request to download FortiOS system resources. The vendor has fixed this vulnerability in FortiOS versions 5.4.13, 5.6.8, 6.0.5 and 6.2.0 and later.

Microsoft disclosed the CVE-2020-1472 (Zerologon) vulnerability on Tuesday, August 2020. "there is a privilege escalation vulnerability when an attacker uses Netlogon remote Protocol (MS-NPRC) to establish a vulnerable Netlogon security channel to connect to a domain controller," Microsoft said in an announcement. Microsoft and NVD both gave the highest score of 10 for the vulnerability's CVSS score. If successfully exploited, an attacker can run a specially designed application on a device in the network. This vulnerability affects Microsoft Windows Server 2008 R2 SP1,Windows Server 2012 Magi Windows Server 2012 R2 Magi Windows Server 2016 Magi Server 20119 Magi Server 1903, Windows Server 1909, Windows Server 2004.

Microsoft has not yet fully fixed the vulnerability. Microsoft said in an announcement in August that because many non-Windows devices use Netlogon remote Protocol (MS-NRPC), Microsoft will fix the vulnerability in two phases to ensure that vendors of devices connected using vulnerable Netlogon secure channels can provide updates to customers. The initial deployment phase began on August 11, 2020, but the second phase of the update is scheduled for release in the first quarter of 2021.

In addition to the attack disclosed by CISA, according to a recent warning issued by Microsoft, the Zerologon vulnerability has been exploited by Mercury, an Iranian APT organization, and TA505, a Russian cybercrime gang.

Photo: Microsoft Security Intelligence team tweeted on October 7

Other VPN vulnerabilities that can be used to perform attacks

In addition to the CVE-2018-13379 vulnerability in Fortinet FortiOS, CISA warns that attackers may exploit other similar VPN vulnerabilities to attack unrepaired, Internet-facing network edge devices. CISA said it is highly likely that attackers will exploit the vulnerabilities in the following table to attack government and critical infrastructure networks in the future to gain initial access.

Serial number

CVE-ID

Affected products and versions

one

CVE-2019-19781

Citrix Application Delivery Controller

Citrix Gateway

Citrix SDWAN WANOP

two

CVE-2020-5902

F5 Big-IP devices (LTM,AAM,Advanced WAF,AFM,Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller,PEM,SSLO,CGNAT)

three

CVE-2019-11510

Pulse Connect Secure 9.0R1-9.0R3.3 8.3R1-8.3R7 8.2R1-8.2R12 8.1R1-8.1R15

Pulse Policy Secure 9.0R1-9.0R3.1, 5.4R1-5.4R7, 5.3R1-5.3R12, 5.2R1-5.2R12, 5.1R1-5.1R15

four

CVE-2020-15505

MobileIron Core & Connector 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0

Sentry 9.7.2 and earlier, and 9.8.0

Monitor and Reporting Database (RDB) 2.0.0.1 and earlier

five

CVE-2020-1631

Juniper Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1

six

CVE-2020-2021

Version 9.1 before Palo Alto Networks PAN-OS 9.1.3; version 9.0 before PAN-OS 9.0.9; version 8.1 before PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (end of life cycle)

After reading the above, do you know how to analyze how APT organizations exploit VPN and Windows Zerologon vulnerabilities to attack US government networks? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.