Security Experts:

Connect with us

Hi, what are you looking for?



Zerologon Chained With Fortinet, MobileIron Vulnerabilities in U.S. Government Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that government networks have been targeted in attacks exploiting the Zerologon vulnerability in combination with flaws affecting Fortinet and MobileIron products.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that government networks have been targeted in attacks exploiting the Zerologon vulnerability in combination with flaws affecting Fortinet and MobileIron products.

“This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” CISA said in an advisory written with contributions from the FBI.

It added, “CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised.”

According to CISA, the attacks, which appear to be ongoing, have in many cases involved exploitation of CVE-2018-13379, a Fortinet FortiOS VPN vulnerability, and in some cases CVE-2020-15505, a recently detailed issue affecting MobileIron’s mobile device management (MDM) solutions.

These security holes were exploited by malicious actors to gain initial access to the targeted network, and then they used Zerologon to escalate privileges and compromise Active Directory identity services. CISA has described the attackers as “APT actors.”

While the attacks spotted by US agencies involved the Fortinet and MobileIron vulnerabilities, organizations have been warned that attackers could also leverage flaws in Citrix, Pulse Secure, Palo Alto Networks and F5 Networks products for the same purpose.

The Zerologon vulnerability, officially tracked as CVE-2020-1472, is a privilege escalation issue affecting Windows Server. It allows an attacker who has access to the targeted network to hack domain controllers without credentials.

Microsoft patched the flaw in August, but it appears many organizations have failed to install the patches and threat actors are increasingly exploiting it in their operations.

CISA issued its first warning about Zerologon being exploited in attacks in late September, shortly after it issued an emergency directive instructing federal agencies to immediately install the patches.

According to Microsoft, the Zerologon vulnerability has been exploited by both profit-driven cybercriminals and state-sponsored groups.

Related: Samba Issues Patches for Zerologon Vulnerability

Related: CISA Says Threat Actor Breached Federal Agency’s Network

Related: FBI, CISA Warn of Disinformation Campaigns Targeting 2020 Election Results

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...