To attack government networks, hackers combine Zerologon problem with VPN vulnerabilities

Representatives of the FBI and the Cybersecurity and Infrastructure Protection Agency, part of the US Department of Homeland Security (DHS CISA), issued a warning that hackers combine the Zerologon problem (CVE-2020-1472) with various VPN bugs to attack governmental networks.

“CISA is aware of a number of cases, when such activities have led to unauthorized access to electoral support systems. However, to date, CISA has no evidence that the integrity of this data has been compromised”, — says the warning.

According to law enforcement officials, in the course of such attacks, cybercriminals exploit at least two vulnerabilities: CVE-2018-13379 and CVE-2020-1472.

The first issue (CVE-2018-13379) was discovered as part of the Fortinet FortiOS Secure Socket Layer (SSL) VPN, a local VPN commonly used as a secure gateway to access corporate networks from remote locations.

The second issue (CVE-2018-13379) allows attackers to upload malicious files to unsecured systems and take over Fortinet VPN servers.

As for the Zerologon vulnerability, let me remind you that it relies on a weak cryptographic algorithm used in the Netlogon authentication process. The problem was named Zerologon, since the attack is carried out by adding zeros to certain Netlogon authentication parameters.

As a result, the bug allows an attacker to manipulate authentication, namely:

• impersonate any computer on the network during authentication with a domain controller;
• disable security mechanisms during Netlogon authentication;
• change the computer password in the Active Directory domain controller.

The CISA and the FBI explain that hackers combine these vulnerabilities, starting by taking over Fortinet servers and then moving on to taking over the internal network with Zerologon.

Experts also warned that in addition to bugs in Fortinet products, hackers can use any other vulnerabilities in VPN solutions and gateways, because there have been a lot of such bugs recently.

Suffice it to recall the following problems:

• corporate VPN Pulse Secure Connect (CVE-2019-11510);
• VPN Global Protect from Palo Alto Networks (CVE-2019-1579);
• Citrix ADC servers and Citrix network gateways (CVE-2019-19781);
• Servers for managing mobile devices MobileIron (CVE-2020-15505);
• F5 BIG-IP load balancers (CVE-2020-5902).

Let me remind you that US autorities are afraid of attacks by foreign hackers and ransomware attacks during presidential election.