OT Implications of Energetic Bear's Targeting of Zerologon
By The Claroty Research Team | October 27, 2020
A joint FBI-CISA cybersecurity advisory issued last week warned of targeted attacks carried out by the Energetic Bear advanced persistent threat (APT) actor against U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.
According to the advisory, the group has been exploiting unpatched Windows Netlogon installations to access Active Directory servers and elevate privileges in order to move laterally across compromised networks.
This detail should pique the interest of operational technology (OT) network operators, given that Active Directory is often installed locally on an OT network or used cross-domain between IT and OT networks. Technologies such as distributed control systems (DCS), for example, often rely on Active Directory as their main authentication repository for network credentials. Penetrating the domain controller of an industrial network could put an attacker in position to interfere with and damage business processes.
Oil & Gas are Frequent Targets of Energetic Bear
Energetic Bear, meanwhile, has been linked to Russian intelligence by numerous threat intelligence companies and the U.S. government. The APT group has for many years targeted organizations in the oil and gas industry in the West, going as far back as 2014, and likely earlier. Their motive in targeting oil and gas, experts believe, has always been industrial espionage in order to learn the inner workings of these industrial control systems and perhaps set the stage for future remote control of networks.
Given the proximity of the Nov. 3 U.S. presidential election, the FBI-CISA advisory puts government agencies on notice of the APT group’s activities in order to safeguard voter information and other election-related systems and data. It says no election data has been compromised to date, but warns that these attacks could be setting the stage for future compromise.
Officials note in the advisory that Energetic Bear has, since September, targeted dozens organizations and attempted a number of intrusions against SLTT organizations. It has successfully infiltrated some, and as of Oct. 1, it had stolen data from two compromised servers, including network configuration data, passwords, password-reset information, and more. The advisory does not name the victim organizations.
APT Group Covers Lateral Movement, Network Persistence
OT operators would do well to familiarize themselves with the tactics used by Energetic Bear, as well. According to the advisory, the APT actor is obtaining user and admin credentials to gain an initial foothold on a target network. From there, it attempts to exploit other known vulnerabilities in order to move laterally on a network and steal data or drop additional malware.
CISA and the FBI warn that they have detected the use of Turkish IP addresses—this could be just the last node in an anonymity chain used by the attacker—to connect to victim web servers, brute-force attacks and SQL injection attacks against servers, and attempted drive-by downloads against aviation targets. Energetic Bear, according to the FBI and CISA, is also scanning for Citrix and Microsoft Exchange servers, exploiting known vulnerabilities in each. They have also been enumerating servers vulnerable to the recently patched Netlogon vulnerability, CVE-2020-1472, known as Zerologon. This is a dangerous vulnerability that can not only expose network resources including Domain Controllers, but also allow an attacker to establish persistence on a network.
Netlogon is a remote procedure call (RPC) interface that is part of the Windows Client Authentication Architecture. Its purpose is to verify network login requests, authenticate users to domain controllers, and facilitate access to networked services. Domain controllers are common in industrial networks and often include multiple domains and domain servers. Several proof-of-concept exploits surfaced once the bug was patched in August.
Zerologon allows an attacker to escalate privileges in a domain environment, taking advantage of an insecure AES-CFB8 cryptographic algorithm implementation. The ComputeNetlogonCredential function in Netlogon uses a fixed initialization vector consisting of 16 bytes of zeros rather than a randomized one. This means that an attacker could control the deciphered text and then impersonate any machine on a network authenticating to the domain controller (DC) including the domain administrator
The FBI and CISA recommend disabling NTLM credentials or restricting outgoing NTLM traffic, as well as checking available logs for traffic emanating to or from any of the IP addresses in its advisory for evidence of credential-harvesting malware being used to steal admin credentials. Claroty has also detected attacks attempting to exploit this vulnerability.