Zerologon attack lets hackers take over enterprise networks

CyberPanther

Level 6
Thread author
Verified
Well-known
Oct 1, 2019
295
If you're managing enterprise Windows Servers, don't skip on the August 2020 Patch Tuesday.

Unbeknownst to many, Microsoft patched last month in August one of the most severe bugs ever reported to the company, an issue that could be abused to easily take over Windows Servers running as domain controllers in enterprise networks.

The bug was patched in the August 2020 Patch Tuesday under the identifier of CVE-2020-1472. It was described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers.

The vulnerability received the maximum severity rating of 10, but details were never made public, meaning users and IT administrators never knew how dangerous the issue really was.

TAKE OVER A DOMAIN CONTROLLER WITH A BUNCH OF ZEROS
But in a blog post today, the team at Secura B.V., a Dutch security firm, has finally lifted the veil over this mysterious bug and published a technical report describing CVE-2020-1472 in greater depth.
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders. It was discovered by Tom Tervoort, a security researcher at Secura and privately reported to Microsoft, which issued a patch for supported Windows versions as part of August 2020 updates and assigned it CVE-2020-1472.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Cybersecurity and Infrastructure Security Agency (CISA) said on Friday.
“The vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services,” it explained.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
The US Department of Homeland Security is giving federal agencies until midnight on Tuesday to patch a critical Windows vulnerability that can make it easy for attackers to become all-powerful administrators with free rein to create accounts, infect an entire network with malware, and carry out similarly disastrous actions. Zerologon, as researchers have dubbed the vulnerability, allows malicious hackers to instantly gain unauthorized control of the Active Directory. An Active Directory stores data relating to users and computers that are authorized to use email, file sharing, and other sensitive services inside large organizations. Zerologon is tracked as CVE-2020-1472. Microsoft published a patch last Tuesday.

An unacceptable risk
The flaw, which is present in all supported Windows server versions, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Further raising that stakes was the release by multiple researchers of proof-of-concept exploit code that could provide a roadmap for malicious hackers to create working attacks. Officials with the Cybersecurity and Infrastructure Security Agency, which belongs to the DHS, issued an emergency directive on Friday that warned of the potentially severe consequences for organizations that don’t patch. It states:

CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action. This determination is based on the following:
  • the availability of the exploit code in the wild increasing likelihood of any unpatched domain controller being exploited;
  • the widespread presence of the affected domain controllers across the federal enterprise;
  • the high potential for a compromise of agency information systems;
  • the grave impact of a successful compromise; and
  • the continued presence of the vulnerability more than 30 days since the update was released.
CISA, which has authorization to issue emergency directives intended to mitigate known or suspected security threats, is giving organizations until 11:59pm EDT on Monday to either install a Microsoft patch or disconnect the vulnerable domain controller from the organization network. No later than 11:59pm EDT on Wednesday, agencies are to submit a completion report attesting the update has been applied to all affected servers or provide assurance that newly provisioned or previously disconnected servers will be patched.

Exploitation is easier than expected
When details of the vulnerability first surfaced last Tuesday, many researchers assumed it could be exploited only when attackers already had a toehold inside a vulnerable network, by either a malicious insider or an outside attacker who had already gained lower-level user privileges. Such post-compromise exploits can be serious, but the requirement can be a high-enough bar to either buy vulnerable networks time or push attackers into exploiting easier but less severe security flaws. Since then, several researchers have said that it’s possible for attackers to exploit the vulnerability over the Internet without first having such low-level access. The reason: despite the risks, some organizations expose their domain controllers—that is, the servers that run Active Directory—to the Internet. Networks that do this and also have exposed Server Message Block for file sharing or Remote Procedure Call for intra-network data exchange may be exploitable with no other requirements.

“If you have set up detections for #zerologon (CVE-2020-1472), don’t forget that it could also be exploited over SMB!” researchers from security firm Zero Networks wrote. Run this test script (based on @SecuraBV ) for both RPC/TCP and RPC/SMB.”

Kevin Beaumont, acting in his capacity as an independent researcher, added: “There’s a good (but minor) barrier to entry as so far the exploits don’t automate remotely querying the domain and Netbios name of DC. One unpatched domain controller = every patched domain endpoint is vulnerable to RCE. Another pivot, if you have SMB open—RPC over SMB. Attn network detection folks.” Queries using the Binary Edge search service show that almost 30,000 domain controllers are viewable and another 1.3 million servers have RPC exposed. In the event either of these settings apply to a single server, it may be vulnerable to remote attacks that send specially crafted packets that give full access to the active directory. Beaumont and other researchers continue to find evidence that people are actively developing attack code, but so far there are no public reports that exploits—either successful or attempted—are active. Given the stakes and the amount of publicly available information about the vulnerability, it wouldn’t be surprising to see in-the-wild exploits emerge in the coming days or weeks.
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
What is ZeroLogon?
Before we start going full tilt technical attack and defend, what is the bug and how does it work?

The Netlogon Remote Protocol (also called MS-NRPC) is a remote procedure call(RPC) interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel. These updates enforce the specified Netlogon client behaviour to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC).
Zerologon also known as CVE-2020-1472 affects a cryptographic authentication scheme(AES-CFB8) used by MS-NRPC, this scheme has multiple uses however the reason this is so widely publicised is the ability to change computer account passwords which can lead to a foothold within a Windows estate.
AES-CFB8 works in that it encrypts each byte of the plaintext by prepending a 16-byte Initialisation Vector (IV) to the plaintext, then applying AES to the first 16 bytes of the IV and plaintext, taking the first byte of the AES output, and XORing it with the next plaintext byte.
Why is this important? Well the way to exploit the authentication protocol is to brute-force login attempts; for 1 in 256 keys, applying AESCFB8 encryption to an all-zero plaintext will result in all-zero ciphertext thus enabling a bypass of logon and hence where the name zerologon comes from.
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
Microsoft today warned that the Iranian-backed MuddyWater cyber-espionage group was observed using ZeroLogon exploits in multiple attacks during the last two weeks.

The ongoing attacks exploiting the critical 10/10 rated CVE-2020-1472 security flaw were spotted by Microsoft's Threat Intelligence Center.
"MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks," Microsoft warned earlier today. "We strongly recommend patching."
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Microsoft says that TA505, which it tracks as Chimborazo, deployed a campaign with fake software updates that connect to the threat actor’s command and control (C2) infrastructure. The purpose of the malicious updates is to give hackers increased privileges (User Account Control bypass) on the target system and run malicious scripts.
1602233659036.png

Source: Microsoft
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
According to the joint alert, the observed attacks combined two security flaws known as CVE-2018-13379 and CVE-2020-1472.
CVE-2018-13379 is a vulnerability in the Fortinet FortiOS Secure Socket Layer (SSL) VPN, an on-premise VPN server designed to be used as a secure gateway to access enterprise networks from remote locations. The CVE-2018-13379, disclosed last year, allows attackers to upload malicious files on unpatched systems and take over Fortinet VPN servers.
CVE-2020-1472, also known as Zerologon, is a vulnerability in Netlogon, the protocol used by Windows workstations to authenticate against a Windows Server running as a domain controller. The vulnerability allows attackers to take over domain controllers, servers users to manage entire internal/enterprise networks and usually contain the passwords for all connected workstations.

CISA and the FBI say attackers are combining these two vulnerabilities to hijack Fortinet servers and then pivot and take over internal networks using Zerologon.
"Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials," the two agencies also added.
The joint alert didn't provide details about the attackers except to describe them as "advanced persistent threat (APT) actors."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top