Lessons Learned from the “Zerologon” Vulnerability in Windows Server Machines

Last year, a vulnerability dubbed “Zerologon” was discovered in Windows Server operating systems. The discovery was first made by Security Specialist Tom Tervoort. Zerologon, AKA CVE-2020-1472, is a vulnerability in the remote protocol MS-NRPC. This is an authentication component of Microsoft’s active directory, a service that allows for administrators to authenticate computers. If exploited, the vulnerability allows for an attacker to gain control of active directory identity services, completely compromising the security of the entire network.
Tervoort noted that compromising the system was as simple as sending a series of Netlogon messages with fields filled with “0”s. By using this method, a malicious actor could edit the password of the domain controller. The attacker does not need to use compromised credentials – they are allowed access into the network completely bypassing authentication. in August of last year, Microsoft released the first part of a patch to repair the Zerologon vulnerability. Part 2 was released on September 11th of last year.
Daniel Naim, security researcher at the Microsoft Defender Advanced Threat Protection team, noted that the majority of Zerologon vulnerability abuse began on September 13th. During the time when exploitation was active, numerous proof-of-concept tools that take advantage of the vulnerability were published online. Some of these malicious attackers also exploited a previously discovered vulnerability dubbed CVE-2019-0604 in their attacks.

CVE-2019-0604 is another vulnerability in Microsoft code that allows for arbitrary code to be executed remotely in Microsoft SharePoint. in this attack, the malicious actor gains initial access by exploiting SharePoint, then deploys Cobalt Strike to look for devices on the network that can be further attacked using the Zerologon vulnerability. Cobalt Strike is a cybersecurity penetration testing tool that simulates a cyberattack on a network to discover weak points.
On September 18th 2020, Christopher Krebs of the U.S. Department of Homeland Security issued an emergency order for federal branches to ensure to download Microsoft’s Windows Server patches to protect against the CVE-2020-1472 vulnerability. It was determined a high priority emergency situation due to the following reasons. Firstly, the public availability of proof-of-concept exploitation software increases the risk of unpatched devices. Next, the potentially vulnerable amount of domain controllers used by the federal enterprises was high. Finally, there are dire implications of a successful attack.

Protecting Against Zerologon:
The Zerologon vulnerability of 2020 illustrates the important of applying security patches to software, especially for devices that have administrative privileges on a network. Vulnerabilities are constantly being discovered by both cybersecurity researchers and malicious actors. In order to stay ahead of the curve, it is essential to stay up-to-date on cybersecurity news and constantly monitor for updates.
In addition to this, Microsoft also advises to constant monitor for vulnerable connections on your network and pinpoint the vulnerable devices that could act as entryways into your company. Finally, an extra layer of security can be added by enabling enforcement mode, although Microsoft notes that this may affect performance for some third party clients that don’t support NRPC.
Don’t fall victim to cyberattack. GIGE’s network security technicians have over 30 years of experience protecting organizations’ networks. Call us at +1 888 366 4443 to get started today.