Feds Warn of VPN Attacks That May Be Targeting Election Security
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently announced a joint cybersecurity advisory on attacks against government networks, as well as other organizational networks.
These government agency attacks are leveraging unpatched software vulnerabilities, including the Windows Server Netlogon flaw (CVE-2020-1472) that was addressed by Microsoft's August security patch release.
The CISA-FBI announcement suggested that election targeting could be part of the motivation behind the increased malicious activity against government networks:
CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.
The attackers could leverage publicized security vulnerabilities in various virtual private networks (VPNs) and management solutions to gain a foothold, the announcement suggested, and it cited the following CVEs as possible, although not confirmed, avenues:
Next, the attackers are using the Windows Server Netlogon security vulnerability to gain credentials, and then using VPNs and the Remote Desktop Protocol for remote attack purposes.
After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.
Organizations should keep up to date with software patches, including VPNs and domain controllers, according to the CISA-FBI announcement. They should implement multifactor authentication on all VPN connections. Patch management should include auditing, and all outbound network connections should be monitored. The announcement included some very painful advice to follow should Active Directory admin accounts be found to be compromised.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.