The FBI and the Department of Homeland Security's cybersecurity division said they had discovered hackers exploiting a critical Windows vulnerability against state and local governments and, in some cases, the attacks were being used to break through networks used in support of elections will.
Members of non-specific APTs – the acronym for Advanced Persistent Threats – exploited the Windows vulnerability known as Zerologon. Attackers who already have a vulnerable network can gain access to the powerful domain controllers that administrators use to assign new accounts and manage existing ones.
To gain initial access, the attackers used separate security holes in firewalls, VPNs and other products from companies such as Juniper, Pulse Secure, Citrix NetScaler and Palo Alto Networks. All of the vulnerabilities – including Zerologon – have received patches, but as indicated by the DHS and FBI warning on Friday, they did not have all of them installed. Inaction endangers governments and electoral systems at all levels.
This recent malicious activity has often, but not exclusively, been directed against networks of federal, state, local, tribal, and territorial governments (SLTT). While it does not appear that these destinations are selected because of their proximity to election information, there may be some risk to election information stored on government networks.
CISA is aware of a few instances where this activity resulted in unauthorized access to election support systems. However, to date, CISA has no evidence that the integrity of the election data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to defend themselves against this malicious cyber activity.
Zerologon sends a series of zeros in a series of messages using the Netlogon protocol that Windows servers rely on for a variety of tasks, including allowing end users to log on to a network. People who are not authenticated could use the exploit to obtain administrative credentials for domains, provided the attacker can establish TCP connections with a vulnerable domain controller. The requirement to establish TCP connections with the domain controller is likely the reason why attackers chain Zerologon to exploits from VPNs and firewalls.
Friday's recommendation provides some guidance for organizations that believe they have, or may be, compromised. Most importantly, the targeted vulnerabilities – some of which have been around for over a year – are applied or the hardware they run is disconnected from their networks.