A joint FBI-CISA cybersecurity advisory issued last week warned of targeted attacks carried out by the Energetic Bear advanced persistent threat (APT) actor against U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.
According to the advisory, the group has been exploiting unpatched Windows Netlogon installations to access Active Directory servers and elevate privileges in order to move laterally across compromised networks.
This detail should pique the interest of operational technology (OT) network operators, given that Active Directory is often installed locally on an OT network or used cross-domain between IT and OT networks. Technologies such as distributed control systems (DCS), for example, often rely on Active Directory as their main authentication repository for network credentials. Penetrating the domain controller of an industrial network could put an attacker in position to interfere with and damage business processes.
Energetic Bear, meanwhile, has been linked to Russian intelligence by numerous threat intelligence companies and the U.S. government. The APT group has for many years targeted organizations in the oil and gas industry in the West, going as far back as 2014, and likely earlier. Their motive in targeting oil and gas, experts believe, has always been industrial espionage in order to learn the inner workings of these industrial control systems and perhaps set the stage for future remote control of networks.
Given the proximity of the Nov. 3 U.S. presidential election, the FBI-CISA advisory puts government agencies on notice of the APT group's activities in order to safeguard voter information and other election-related systems and data. It says no election data has been compromised to date, but warns that these attacks could be setting the stage for future compromise.
Officials note in the advisory that Energetic Bear has, since September, targeted dozens organizations and attempted a number of intrusions against SLTT organizations. It has successfully infiltrated some, and as of Oct. 1, it had stolen data from two compromised servers, including network configuration data, passwords, password-reset information, and more. The advisory does not name the victim organizations.
OT operators would do well to familiarize themselves with the tactics used by Energetic Bear, as well. According to the advisory, the APT actor is obtaining user and admin credentials to gain an initial foothold on a target network. From there, it attempts to exploit other known vulnerabilities in order to move laterally on a network and steal data or drop additional malware.
CISA and the FBI warn that they have detected the use of Turkish IP addresses—this could be just the last node in an anonymity chain used by the attacker—to connect to victim web servers, brute-force attacks and SQL injection attacks against servers, and attempted drive-by downloads against aviation targets. Energetic Bear, according to the FBI and CISA, is also scanning for Citrix and Microsoft Exchange servers, exploiting known vulnerabilities in each. They have also been enumerating servers vulnerable to the recently patched Netlogon vulnerability, CVE-2020-1472, known as Zerologon. This is a dangerous vulnerability that can not only expose network resources including Domain Controllers, but also allow an attacker to establish persistence on a network.
Netlogon is a remote procedure call (RPC) interface that is part of the Windows Client Authentication Architecture. Its purpose is to verify network login requests, authenticate users to domain controllers, and facilitate access to networked services. Domain controllers are common in industrial networks and often include multiple domains and domain servers. Several proof-of-concept exploits surfaced once the bug was patched in August.
Zerologon allows an attacker to escalate privileges in a domain environment, taking advantage of an insecure AES-CFB8 cryptographic algorithm implementation. The ComputeNetlogonCredential function in Netlogon uses a fixed initialization vector consisting of 16 bytes of zeros rather than a randomized one. This means that an attacker could control the deciphered text and then impersonate any machine on a network authenticating to the domain controller (DC) including the domain administrator
The FBI and CISA recommend disabling NTLM credentials or restricting outgoing NTLM traffic, as well as checking available logs for traffic emanating to or from any of the IP addresses in its advisory for evidence of credential-harvesting malware being used to steal admin credentials. Claroty has also detected attacks attempting to exploit this vulnerability.
CWE-121 STACK-BASED BUFFER OVERFLOW:
Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE 287: Improper Authentication
An Improper Authentication vulnerability exists in Danfoss AK-SM8xxA Series, resulting in an authentication bypass. Install the latest patch with number 4.2 to remediate this vulnerability. This flaw could enable an attacker to generate a web report that discloses sensitive information such as internal IP addresses, usernames, store names, and other sensitive information.e
CVSS v3: 8.2
CWE-798 USE OF HARD-CODED CREDENTIALS:
In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.
Optigo Networks recommends users implement at least one of the following additional mitigations:
CVSS v3: 9.8
CWE-78 Improper Neutralization of Special Elements used in an OS Command:
A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.
Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:
CVSS v3: 9.8
