According to CISA, these flaws are centered around Fortinet FortiOS Secure Socket Layer (SSL) VPN and MobileIron platform.
In 2016, there was great controversy surrounding the U.S Presidential elections owing to the rumors associated with it. These rumors centered around foreign actors influencing the elections illegally.
In the latest, the same threat seems to be on the horizon for the upcoming U.S elections where both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert, warning of government networks being under the threat of data theft by Advanced Persistent Threat (APT) actors.
It is worth noting that both CISA and FBI are very active in issuing warnings against sophisticated cyber attacks and unpatched vulnerabilities. Just a few weeks ago both agencies had warned of critical vulnerabilities that were being exploited in VPNs and Microsoft servers to target critical cyberinfrastructure in the United States.
As for the new warning; the attack in question is a Vulnerability Chaining one as the threat actors are targeting multiple vulnerabilities for one single access point. These are centered around CVE-2018-13379, a vulnerability in the Fortinet FortiOS Secure Socket Layer (SSL) VPN, and CVE-2020-15505, a vulnerability in the MobileIron platform, both of which may be used by attackers to access servers unauthorizedly.
Once accessed, another vulnerability termed as CVE-2020-1472 and known as Zerologon is targeted. In regards to it, the official advisory states,
compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities.”
The result of this working out successfully for the attackers would be to access and steal confidential information. This information then could be used for nefarious purposes such as trying to influence the electoral process.
Rick Moy, VP of sales and marketing, Tempered commented on the issue and told Hackread.com that: “It’s extremely concerning that remote attackers can run arbitrary unauthenticated code against a security product. Authentication and authorization should be the cornerstone of all access, but many legacy security offerings have obvious holes, leaving them vulnerable.”
“This is why organizations are starting to rethink their cybersecurity strategy to fortify their solution stack against increasingly frequent and malicious attacks. In the coming months, we’ll increasingly see organizations turning to zero trust approaches, which ‘never trust, always verify’ users, for next-generation VPNs and software-defined perimeters,” Rick warned.
To conclude, to guard against this, all government departments and others associated with any sort of election data should keep their systems updated and regularly implement released patches. On the other hand, as a parting bit, to know if a network has already been infiltrated, the CISA’s blog post states,
If there is an observation of CVE-2020-1472Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed.
Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.