February 16, 2021
In September, we brought you news of a new exploitable vulnerability in the Microsoft Active Directory—Zerologon—also tracked as CVE-2020-1472. Zerologon impacts the Netlogon Remote Protocol for Window Servers and allows any user to become a Domain Administrator with global access to all systems and networks in the enterprise—in less than 30 seconds. This vulnerability has offered an open door for criminal actors to access confidential files and create major chaos with business-wide lockdowns and ransomware.
This post is more technical than our typcial posts. If you’re new to learning about Zerologon, read our initial article here. You can also read more information about Zerologon on the Microsoft website here.
Where are we now? It’s been four months since the public learned about Zerologon, what have we learned? What has been impacted? Read on to learn about ongoing attacks, Microsoft’s second patch, and steps you should take to mitigate your risk of a Zerologon threat.
The Zerologon vulnerability is still a threat
CVE-2020-1472, or Zerologon, has been given a CVSS score of 10 and both Microsoft and government agencies have distributed the news to patch the bug. But even with widespread news of Zerologon and the required action of patching the vulnerability, crime actors are still trying to take advantage of the loophole.
A prime example is the Ryuk group. In an attack late last year, they were able to go from initial attack via phishing email to full encryption in only five hours. The phishing email started with a successful infection with Bazarloader, allowing the group to map the domain using common Active Directory tools. The attacker then exploited the Zerologon vulnerability, to elevate their privileges to Domain Administrator and used Cobalt Strike, AdFind, WMI, and PowerShell to continue the attack. Nearly five hours into the attack, Ryuk deployed ransomware onto backup servers. For the criminal actors, this attack was faster and simpler because of the Zerologon vulnerability—they were able to easily exploit the vulnerability to gain the privileges needed to deploy ransomware.
TA505, or Chimborazo, is another example of a criminal actor exploiting the Zerologon vulnerability to simplify and accelerate deployment of Clop ransomware. This ransomware strain is well-known from the attack on Maastricht University that required a 30 bitcoin (around $220,000) ransom demand.
TA505 has been utilizing fake software update messages. These messages connect to TA505’s command and control infrastructure, giving them elevated privileges on the victim’s system. The group uses Mimikatz to deploy a domain takeover.
The U.S. Cybersecurity and Infrastructure Security Agency warned organizations in October 2020 that crime actors were chaining other flaws to the Zerologon bug to target hard-to-breach networks, like those in the government. Experts expect that this practice is still ongoing.
Mercury, a nation-state hacking group with ties to Iran, has also been trying to maximize the Zerologon vulnerability. This group of hackers, also known as Static Kitten and Seedworm, is known for launching espionage campaigns against U.S. organizations and India. Attacks from the Mercury group were detected by the Microsoft Threat Intelligence Center in October 2020.
Zerologon threats can present in a variety of ways
Many crime actors will use a typical software update message—faking credibility to infiltrate the system. This can lead to complete control, bypassing security to run malicious scripts. Some attacks have infected endpoints, creating a roadmap to deploy ransomware.
The Zerologon vulnerability impacts the Netlogon Remote Protocol, making it a critical concern for businesses with so many employees working from home during the global pandemic. Managing user accounts and access for these employees is imperative to keep data and systems safe.
The first phase of the patch was issued in August of 2020 to mitigate as much of the vulnerability as possible. The second patch was released on February 9, 2021. You can read more about it here.
Your next steps
If your organization has not deployed the first patch, released on August 11, 2020, it’s time to do so. And to ensure all known vulnerabilities are patched—especially those that are currently used to chain to Zerologon—enable all updates from Microsoft.
Enforcement mode was turned on by default via the February 9, 2021 patch. All Windows and non-Windows devices are now required to use secure RPC with Netlogon secure channel or they will need to explicitly allow specific accounts by adding exceptions.
Cyber insurance is a critical step in protecting your organization against the repercussions of a cyber attack. Assess your current risk with our three-question risk calculator.
Written by: [Will Peteroy]