A joint FBI-CISA cybersecurity advisory issued last week warned of targeted attacks carried out by the Energetic Bear advanced persistent threat (APT) actor against U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.
According to the advisory, the group has been exploiting unpatched Windows Netlogon installations to access Active Directory servers and elevate privileges in order to move laterally across compromised networks.
This detail should pique the interest of operational technology (OT) network operators, given that Active Directory is often installed locally on an OT network or used cross-domain between IT and OT networks. Technologies such as distributed control systems (DCS), for example, often rely on Active Directory as their main authentication repository for network credentials. Penetrating the domain controller of an industrial network could put an attacker in position to interfere with and damage business processes.
Energetic Bear, meanwhile, has been linked to Russian intelligence by numerous threat intelligence companies and the U.S. government. The APT group has for many years targeted organizations in the oil and gas industry in the West, going as far back as 2014, and likely earlier. Their motive in targeting oil and gas, experts believe, has always been industrial espionage in order to learn the inner workings of these industrial control systems and perhaps set the stage for future remote control of networks.
Given the proximity of the Nov. 3 U.S. presidential election, the FBI-CISA advisory puts government agencies on notice of the APT group's activities in order to safeguard voter information and other election-related systems and data. It says no election data has been compromised to date, but warns that these attacks could be setting the stage for future compromise.
Officials note in the advisory that Energetic Bear has, since September, targeted dozens organizations and attempted a number of intrusions against SLTT organizations. It has successfully infiltrated some, and as of Oct. 1, it had stolen data from two compromised servers, including network configuration data, passwords, password-reset information, and more. The advisory does not name the victim organizations.
OT operators would do well to familiarize themselves with the tactics used by Energetic Bear, as well. According to the advisory, the APT actor is obtaining user and admin credentials to gain an initial foothold on a target network. From there, it attempts to exploit other known vulnerabilities in order to move laterally on a network and steal data or drop additional malware.
CISA and the FBI warn that they have detected the use of Turkish IP addresses—this could be just the last node in an anonymity chain used by the attacker—to connect to victim web servers, brute-force attacks and SQL injection attacks against servers, and attempted drive-by downloads against aviation targets. Energetic Bear, according to the FBI and CISA, is also scanning for Citrix and Microsoft Exchange servers, exploiting known vulnerabilities in each. They have also been enumerating servers vulnerable to the recently patched Netlogon vulnerability, CVE-2020-1472, known as Zerologon. This is a dangerous vulnerability that can not only expose network resources including Domain Controllers, but also allow an attacker to establish persistence on a network.
Netlogon is a remote procedure call (RPC) interface that is part of the Windows Client Authentication Architecture. Its purpose is to verify network login requests, authenticate users to domain controllers, and facilitate access to networked services. Domain controllers are common in industrial networks and often include multiple domains and domain servers. Several proof-of-concept exploits surfaced once the bug was patched in August.
Zerologon allows an attacker to escalate privileges in a domain environment, taking advantage of an insecure AES-CFB8 cryptographic algorithm implementation. The ComputeNetlogonCredential function in Netlogon uses a fixed initialization vector consisting of 16 bytes of zeros rather than a randomized one. This means that an attacker could control the deciphered text and then impersonate any machine on a network authenticating to the domain controller (DC) including the domain administrator
The FBI and CISA recommend disabling NTLM credentials or restricting outgoing NTLM traffic, as well as checking available logs for traffic emanating to or from any of the IP addresses in its advisory for evidence of credential-harvesting malware being used to steal admin credentials. Claroty has also detected attacks attempting to exploit this vulnerability.
CWE-78 Improper Neutralization of Special Elements used in an OS Command:
A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.
Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:
CVSS v3: 9.8
CWE-306: Missing Authentication for Critical Function:
A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands.
Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:
CVSS v3: 7.5
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
%20Best%20Practices%20Update%20%7C%20Claroty&_biz_n=0&rnd=888411&cdn_o=a&_biz_z=1745229074598)
