Getty Images/iStockphoto

CISA: Hackers Exploiting Unpatched Microsoft NetLogon Vulnerability

Microsoft and DHS CISA released multiple alerts and mitigation methods, including a partial patch, for a vulnerability found in Microsoft NetLogon, which hackers are actively exploiting.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency has urged all organizations to apply the partial patch and to implement mitigation methods for a vulnerability found in Microsoft Netlogon domain controller, as hackers are actively exploiting the flaw. 

The elevation of privilege flaw CVE-2020-1472, dubbed “Zerologon,” occurs if a hacker is able to establish a secure connection to a domain controller through the vulnerable Netlogon Remote Protocol (MS-NRPC), an RPC interface exclusively used by domain-connected devices. 

The MS-NRPC employs and authentication method and another technique to establish a Netlogon secure channel. Hackers can exploit this vulnerability using the MS-NRPC to connect to the domain controller and therefore gain domain administrator access.  

If successful, an attacker could run a specially crafted application on a network device. At the time it was reported, Microsoft released a partial patch as part of a two-part rollout, which modifies how the Netlogon handles the use of secure channels. 

The second part of the update will be released by Microsoft in the first quarter of 2021. At the time of the alert, CISA warned that the vulnerability would be a prime target for hackers given the release of a public exploit. 

Now, less than two weeks after the initial announcement, hackers have begun exploiting organizations that have failed to apply the patch and mitigation methods. DHS CISA officials stressed that applying the patch provided by Microsoft can prevent exploitation of the flaw. 

Further, CISA released a patch validation script able to detect unpatched Microsoft domain controllers. For healthcare, this tool will prove particularly helpful given many providers struggle to locate the complete inventory of connected devices on the network. 

“This script must be run on a primary domain controller with required permissions,” officials explained. “It will recursively query all the domain controllers within the Forest, using WMI to retrieve the Domain Controller Name, Operating System, and KB that's installed." 

"CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable,” officials warned. 

The patch provided by Microsoft changes the Netlogon protocol to protect Windows devices by default, as well as log events for discovering noncompliant devices and adds the ability to enable protection for all network-connected devices with explicit exceptions. 

Further, the update enforces RPC usages for machine and trust accounts on Windows-based devices, as well as RPC usage for all Windows and non-Windows DCs. It also includes a new group policy to allow non-compliant device accounts. But "even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection.: 

Lastly, organizations can further mitigate the flaw by installing the update on all DCs and RODCs, along with monitor for new events and address non-compliant devices using vulnerable Netlogon secure channel connections.  

And machine accounts on those non-compliant devices can be allowed to use the vulnerable Netlogon secure channel, but will need to be updated to support secure RPC for the controller and administrators will need to enforce the account as soon as possible to reduce the risk of attack. 

In light of at least four massive ransomware attacks in the last week, which has drove hospitals into EHR downtime, it’s crucial healthcare providers apply the partial patch as soon as possible. 

Next Steps

Dig Deeper on Cybersecurity strategies