September 23, 2020
Last week, a new exploitable vulnerability in Microsoft Active Directory called Zerologon (CVE-2020-1472), was released publicly. Successful exploitation allows any user to become a Domain Administrator with global access to all computers in the enterprise in about 10 seconds. The vulnerability opens a quick path for criminal actors to conduct crippling business-wide lockdown and ransom events.
Active Directory provides centralized authentication for most businesses and most users do not have administrative credentials. In practical terms, this means that when attackers compromise a user through a phishing or other attack, they must find a path to elevated credentials, which will allow them to steal large quantities of sensitive data and to disrupt and encrypt systems. These elevation attacks can be time consuming and buy defenders valuable time to detect and disrupt attackers before large amounts of data can be accessed or stolen and ransomed.
There have been a number of vulnerabilities in the past few years that are more flash than substance, however, Zerologin is easily exploited and extremely impactful. Many vulnerabilities take weeks for proof of concept (POC) code to be built and then additional weeks for those to be worked into tools that can be leveraged by attackers. WIth Zerologon, we’ve seen rapid adoption and weaponization in tools such as Mimikatz and Impacket that are leveraged by attackers and security testing teams alike. We expect to see these exploits leveraged in large ransom events in the coming weeks and months as businesses work to patch and fully address the issue.
Unfortunately for organizations to fully address the issue, they will not only have to deploy the Microsoft patch, but also enable the following registry modification. Microsoft has outlined this in an incredibly convoluted and potentially business-breaking 7-step plan here, which, unfortunately, indicates that we’re going to be dealing with Zerologon related issues at least until February 2021, when Microsoft pushes the change in an update.
At Measured we’re always on the look out for potential issues that can change the short-term risk outlook across our portfolio and this definitely meets the bar. We expect that we will see widespread exploitation and that will increase both the frequency and magnitude of incoming claims.
The Department of Homeland Security has ordered all federal civilian agencies to install the security patch that was released by Microsoft in August 2020 in an emergency directive, which is rarely used and enables the United States government to require federal agencies to take rapid action.
For some vulnerabilities, it’s worthwhile to talk about detection logic, however, with Zerologon there is only one viable option—patch and enforce secure RPC for MS-NRPC.
You can read the Secura whitepaper here.
To get started protecting your organization from attacks like this, assess your risk and get the right cyber liability coverage. Find out how much you need with our three-question quiz.
Written by: [Will Peteroy]