The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI claimed that cybercriminals obtained unauthorized access to government networks by exploiting multiple legacy vulnerabilities in VPNs and the Windows platform. In a joint security alert, the agencies stated that they observed advanced persistent threat (APT) actors targeting federal and state, local, tribal, and territorial (SLTT) government networks, and non-government networks. “CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised,” the alert said.
The APT actors leveraged legacy network access and exploited critical Netlogon vulnerability CVE-2020-1472 to compromise all Active Directory (AD) identity services. It also found that hackers leveraged vulnerabilities in internet-facing infrastructure, External Remote Services to gain initial access into systems. “Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities,” the alert added.
CISA urged system administrators to review their internet-facing infrastructure for these or similar vulnerabilities that could be exploited by attackers, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510, Citrix NetScaler CVE-2019-19781, and Palo Alto Networks CVE-2020-2021.
The agencies also recommended certain protective measures to secure the organization’s VPNs. These include:
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.
- Implement multi-factor authentication (MFA) on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available.
- Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers.