CISA: Hackers are Chaining Long-Known Vulnerabilities to Attack Government Networks
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning that hackers have been using a combination of vulnerabilities in several different VPNs along with the Windows Netlogon vulnerability to gain access to government networks. The advisory notes that there have been "some instances where this activity resulted in unauthorized access to elections support systems," but that the integrity of election data has not been compromised. The advisory includes advice for protecting systems.
Exactly a year ago, the NSA released an advisory warning of exploitations of exactly the same vulnerability (e.g. CVE-2018-13379). Additional warnings for these types of attacks were released in February, May, about a month ago, and again now. The headlines should be "CISA: Government networks still don't know how to manage VPN vulnerabilities." Any attacker would be negligent not to take advantage of this point easy-to-exploit "VPN + Zerologon" attack vector.
Weaknesses in so-called "VPN" products, services, and implementations should not discourage "virtual private connections," that is, the use of end-to-end application-layer encryption. The term "VPN" has become synonymous with marketed proxy services intended to merely hide the origin of traffic to avoid geographic or political controls. Such services are not "private" in the original sense of the term. Neither are they truly (user to application) end-to-end.
William Hugh Murray
Read more in
UC-CERT CISA: Alert (AA20-283A) APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
ZDNet: Hacker groups chain VPN and Windows bugs to attack US government networks
Cyberscoop: Foreign hackers are targeting federal, state and local IT networks, feds warn