Threat actors have gained access to government networks through a combination of Windows and VPN bugs, a commonly used tactic known as vulnerability chaining in which multiple bugs are used in a single intrusion to compromise a network or application.
The recent malicious activity took aim at federal and state, local, tribal and territorial government networks, according to a joint statement last Friday by CISA and the FBI.
CISA said although it does not appear these targets were selected because of their proximity to elections information, there are some instances in which the vulnerability chaining technique resulted in unauthorized access to elections support systems.
However, the agency said it has no evidence that the integrity of election data has been compromised.
According to the CISA-FBI statement, some common tactics, techniques and procedures used by the APT actors included leveraging legacy network access and VPN vulnerabilities in association with the recent critical CVE-2020-1472 Windows Netlogon vulnerability.
CISA also found multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. And to a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505.
A growing number of state and federal agencies can be easily compromised even without hackers having any technical skills, said Ilia Kolochenko, founder and CEO of ImmuniWeb.
“Government agencies have a myriad of unprotected IT and cloud systems exposed to the Internet, with default or weak credentials, or even without passwords,” Kolochenko said. “Furthermore, it’s possible to easily find a great wealth of stolen credentials belonging to governmental employees on the dark web and, in view of a widespread and continuing trend of password reuse, can silently login to some state systems that process or store critical national data.”