A joint FBI-CISA cybersecurity advisory issued last week warned of targeted attacks carried out by the Energetic Bear advanced persistent threat (APT) actor against U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.
According to the advisory, the group has been exploiting unpatched Windows Netlogon installations to access Active Directory servers and elevate privileges in order to move laterally across compromised networks.
This detail should pique the interest of operational technology (OT) network operators, given that Active Directory is often installed locally on an OT network or used cross-domain between IT and OT networks. Technologies such as distributed control systems (DCS), for example, often rely on Active Directory as their main authentication repository for network credentials. Penetrating the domain controller of an industrial network could put an attacker in position to interfere with and damage business processes.
Energetic Bear, meanwhile, has been linked to Russian intelligence by numerous threat intelligence companies and the U.S. government. The APT group has for many years targeted organizations in the oil and gas industry in the West, going as far back as 2014, and likely earlier. Their motive in targeting oil and gas, experts believe, has always been industrial espionage in order to learn the inner workings of these industrial control systems and perhaps set the stage for future remote control of networks.
Given the proximity of the Nov. 3 U.S. presidential election, the FBI-CISA advisory puts government agencies on notice of the APT group's activities in order to safeguard voter information and other election-related systems and data. It says no election data has been compromised to date, but warns that these attacks could be setting the stage for future compromise.
Officials note in the advisory that Energetic Bear has, since September, targeted dozens organizations and attempted a number of intrusions against SLTT organizations. It has successfully infiltrated some, and as of Oct. 1, it had stolen data from two compromised servers, including network configuration data, passwords, password-reset information, and more. The advisory does not name the victim organizations.
OT operators would do well to familiarize themselves with the tactics used by Energetic Bear, as well. According to the advisory, the APT actor is obtaining user and admin credentials to gain an initial foothold on a target network. From there, it attempts to exploit other known vulnerabilities in order to move laterally on a network and steal data or drop additional malware.
CISA and the FBI warn that they have detected the use of Turkish IP addresses—this could be just the last node in an anonymity chain used by the attacker—to connect to victim web servers, brute-force attacks and SQL injection attacks against servers, and attempted drive-by downloads against aviation targets. Energetic Bear, according to the FBI and CISA, is also scanning for Citrix and Microsoft Exchange servers, exploiting known vulnerabilities in each. They have also been enumerating servers vulnerable to the recently patched Netlogon vulnerability, CVE-2020-1472, known as Zerologon. This is a dangerous vulnerability that can not only expose network resources including Domain Controllers, but also allow an attacker to establish persistence on a network.
Netlogon is a remote procedure call (RPC) interface that is part of the Windows Client Authentication Architecture. Its purpose is to verify network login requests, authenticate users to domain controllers, and facilitate access to networked services. Domain controllers are common in industrial networks and often include multiple domains and domain servers. Several proof-of-concept exploits surfaced once the bug was patched in August.
Zerologon allows an attacker to escalate privileges in a domain environment, taking advantage of an insecure AES-CFB8 cryptographic algorithm implementation. The ComputeNetlogonCredential function in Netlogon uses a fixed initialization vector consisting of 16 bytes of zeros rather than a randomized one. This means that an attacker could control the deciphered text and then impersonate any machine on a network authenticating to the domain controller (DC) including the domain administrator
The FBI and CISA recommend disabling NTLM credentials or restricting outgoing NTLM traffic, as well as checking available logs for traffic emanating to or from any of the IP addresses in its advisory for evidence of credential-harvesting malware being used to steal admin credentials. Claroty has also detected attacks attempting to exploit this vulnerability.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
