Zffoto - stock.adobe.com

Microsoft: Threat Actors Exploiting Unpatched Windows Zerologon Flaw

DHS CISA alert highlights a Microsoft report that shows threat actors, including nation-state hackers, are actively exploiting a Windows Netlogon flaw, security researchers dubbed Zerologon.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging organizations to review a Microsoft alert, as threat actors, including nation-state hackers, continue to exploit a Windows Netlogon vulnerability, dubbed by security researchers as Zerologon. 

Both Microsoft and CISA have repeatedly warned of ongoing attacks against this critical flaw, which can enable attackers to spoof a domain controller account to steal domain credentials and take over the domain.  

CISA has already observed nation-state actors successfully exploiting the flaw, with the malicious activity directed at federal and state, local, tribal, and territorial government networks. However, attacks have also been directed at other sectors. 

A public exploit for the elevation of privilege vulnerability was made public in early September, making unpatched devices a prime target for cybercriminals. Officials warned an Active Directory infrastructure compromise would be significant and costly to the enterprise. 

To exploit the CVE-2020-1472 flaw, an attacker would need to establish a secure connection to a vulnerable Netlogon, through its Remote Protocol (MS-NRPC), an RPC interface exclusively used by domain-connected devices. The MS-NRPC uses an authentication method to establish a secure Netlogon channel. 

“An unauthenticated attacker with network access to a domain controller can impersonate any domain-joined computer, including a domain controller,” CERT Coordination Center officials explained in September. 

“Among other actions, the attacker can set an empty password for the domain controller's Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges,” they added. 

If successful, the threat actor would also be able to run a specially crafted application on a network device. 

Microsoft released a patch as part of a two-part rollout in August that modifies how Netlogon handles the use of secure channels and enforces secure RPC use for machine accounts, trust accounts, and for all Windows and non-Windows DCs, as well as created a new group policy to allow non-compliant device accounts. 

The second part of the patch is scheduled to be released in February 2021. 

The latest CISA alert again urged administrators to patch all domain immediately, “until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes.”  

In response to the ongoing cyber activity, CISA released a patch validation script for detecting unpatched Microsoft domain controllers. 

“If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services,” officials warned. 

Organizations were also encouraged to take “follow-on actions” provided by Microsoft to prepared for the second rollout of the Netlogon migration process. 

“Once fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts,” Microsoft explained. “We strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance... to ensure they are fully protected from this vulnerability.” 

As previous reports showed cybercriminals have been conducting a massive scanning campaign that searches for unpatched, vulnerable endpoints, it’s crucial organizations apply this patch and mitigation methods. 

For example, Iran-based hackers have been actively targeting industries associated with healthcare, insurance, government, information technology, and others across the US, by first leveraging mass scanning and other tools to identify networks with any open, vulnerable points. 

Once they gain a foothold, the hackers move to conducting malicious activity. The attacks are designed to maintain a presence on the victim’s network, while the FBI believes these hackers are also capable of deploying ransomware – which also may be their intent. 

Given the onslaught of Ryuk and Trickbot deployments in healthcare in recent weeks, the time for proactive measures is now.

Next Steps

Dig Deeper on Cybersecurity strategies