Microsoft Warns of Active Exploitation of the “Zerologon” Bug in Windows Server

Over the last two weeks, Microsoft has warned that the security vulnerability in Windows Server operating systems called “Zerologon” has been actively exploited.

What Is Zerologon?

The security vulnerability dubbed as Zerologon was first discovered by Tom Tervoort, Senior Security Specialist at Secura. This vulnerability designated as CVE-2020-1472 is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory – referring to Microsoft’s proprietary directory service that allows IT administrators to authenticate computers within a network. The vulnerability in Netlogon Remote Protocol allows an unauthenticated attacker with existing network access to a Windows Server operating system with the Active Directory domain controller role to completely compromise all Active Directory identity services.

In the whitepaper “ZeroLogon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472),” Tervoort said, “By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD [Active Directory].”

“It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,” Tervoort added. “The attack is completely unauthenticated: the attacker does not need any user credentials.”

In essence, exploiting Zerologon turns an attacker into an admin. Tervoort reported his discovery to Microsoft. On August 11, 2020, Microsoft released the first part of the two-stage patch of the Zerologon vulnerability. On September 11, 2020, a month after the release of the first part of the 2-stage patch of the Zerologon vulnerability, Tervoort released a partial proof-of-concept of the vulnerability in the whitepaper called “ZeroLogon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)”.

Microsoft rated the Zerologon vulnerability at perfect 10, which means that attackers can exploit this vulnerability with little or no action from users. 

Zerologon Exploitation

In a tweet dated October 6, 2020, Microsoft Security Intelligence said that it has observed activity by a threat actor using the Zerologon exploit in active campaigns over the last two weeks. Daniel Naim from the Microsoft Defender Advanced Threat Protection team, meanwhile, posted an earlier update last October 1st about the Zerologon exploitation.

According to Naim, the surge of Zerologon exploitation started last September 13th and this increase in activity was followed by the publication of several proof-of-concept tools that exploit the Zerologon vulnerability. Naim said that one of the adversaries exploiting the Zerologon vulnerability exploited the vulnerability CVE-2019-0604 in SharePoint to initially access Windows Server operating systems.

Microsoft describes CVE-2019-0604 vulnerability as a remote code execution vulnerability that exists in Microsoft SharePoint when the software fails to check the source markup of an application package. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft said.

After exploiting these Windows Server operating systems via CVE-2019-0604 vulnerability, this adversary then implanted a web shell to gain persistent access and code execution. Following the web shell installation, this adversary then deployed Cobalt Strike and started exploring the network and looking for domain controllers with the Zerologon vulnerability.

Cobalt Strike is a commercial penetration testing tool that’s marketed as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors.”

Researchers at Cisco Talos, meanwhile, reported late last month that it’s tracking a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472.

On September 18, 2020, Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security, issued a rare Emergency Directive directing federal executive branch departments and agencies to apply Microsoft’s August 11th patch to all Windows Servers with the Active Directory domain controller role in any information system. The Director of the Cybersecurity and Infrastructure Security Agency said that CVE-2020-1472 vulnerability poses unacceptable risks due to the following reasons:

• The availability of the exploit code in the wild increases the likelihood of any unpatched domain controller being exploited;
• The widespread presence of the affected domain controllers across the federal enterprise;
• The high potential for a compromise of agency information systems; and
• The grave impact of a successful compromise.

Preventive and Mitigating Measures

Microsoft offers the following steps in protecting your organization’s network from Zerologon exploitation:

1. Update your Domain Controllers with an update released August 11, 2020 or later.
2. Find which devices are making vulnerable connections by monitoring event logs.
3. Address non-compliant devices making vulnerable connections.
4. Enable enforcement mode to address CVE-2020-1472 in your environment. Microsoft warns that enabling enforcement mode can disrupt production services for third party clients that don’t support secure NRPC.

If patching isn’t possible, ensure that the unpatched Windows Server operating system with the Active Directory domain controller role is removed from the network.

It’s important to note that Microsoft’s August 11th patch is just the first part of the two-stage patch for the Zerologon vulnerability. The second phase of the Zerologon patch will be released by Microsoft in the first quarter of 2021. This last phase will turn enforcement mode by default, requiring all administrators to update, decommission or whitelist devices that don’t support secure NRPC.

Timely updates are critical and take a lot of time, and resources, let alone the knowledge you need to succeed. At GenX, employee top Microsoft certified experts to make your IT resilient.

Schedule a free consultation today and we will show you how to turn your IT from a cost centre into a real competitive advantage. Call now (416) 920-3000 or email us at sales@genx.ca