The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that government networks have been targeted in attacks exploiting the Zerologon vulnerability in combination with flaws affecting Fortinet and MobileIron products.
“This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” CISA said in an advisory written with contributions from the FBI.
It added, “CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised.”
According to CISA, the attacks, which appear to be ongoing, have in many cases involved exploitation of CVE-2018-13379, a Fortinet FortiOS VPN vulnerability, and in some cases CVE-2020-15505, a recently detailed issue affecting MobileIron’s mobile device management (MDM) solutions.
These security holes were exploited by malicious actors to gain initial access to the targeted network, and then they used Zerologon to escalate privileges and compromise Active Directory identity services. CISA has described the attackers as “APT actors.”
While the attacks spotted by US agencies involved the Fortinet and MobileIron vulnerabilities, organizations have been warned that attackers could also leverage flaws in Citrix, Pulse Secure, zerologon chained fortinet mobileiron vulnerabilities government attacks
