Originally posted by DataEndure Director Of Technical Operations, Joe Dickens, on linkedin.com
It’s possible you’ve already heard about the Zerologon Vulnerability, and you might be wondering what the real story is and how to best defend against it. In this blog, we provide a breakdown to help you navigate and take action to keep your organization secure.
Zerologon (CVE-2020-1472): DataEndure Among First to offer Detection on the Endpoint
- Some endpoint vendors have been claiming this 10/10 severity CVE is a network security issue. This is a dangerous misstatement – exploitation of Zerologon can be detected on the endpoint.
- DataEndure’s Endpoint Detectoin and Response-as-a-Service (EDRaaS) is one of the only known solutions able to accurately detect the exploitation attempt on targeted hosts.
- This critical detection ability is available now for existing DataEndure EDRaaS customers.
The Zerologon Vulnerability:
What it is: CVE-2020-1472, more popularly known as “Zerologon”, is a critical vulnerability in all versions of Microsoft Windows Server that are currently supported (Windows 2008 R2, 2012, 2016, 2019). This privilege escalation vulnerability leverages a flaw in the Netlogon Remote Protocol (MS-NRPC) and allows an attacker to impersonate a system, including the machine account of the domain controller itself.
What it does: The vulnerability allows a remote attacker to forge an authentication token for Netlogon to set the computer password of the domain controller to a known value. After that, an attacker can use the new password to take over the domain controller, alter or add additional authentication credentials, escalate privileges or move laterally to other machines in the domain.
Other researchers have discovered more ways to operationalize the Zerologon vulnerability beyond resetting the domain passwords, including demonstrating the capability to extract all domain passwords. This development further increases your exposure.
For such an attack to be successful, an attacker would first have to gain remote or physical access to a device on the same network as a domain controller. However, valid domain credentials, or domain membership, are not prerequisites for a successful attack.
Since the vulnerability was disclosed, exploit code has been found in the wild and CISA has stated that the vulnerability poses an “unacceptable risk” and requires “immediate and emergency action”.
Although Microsoft has released an initial patch for Zerologon, it is only the beginning of a phased rollout, which they expect to take until at least Q1 of 2021 to complete. Meanwhile, Microsoft’s advisory points out that the current update only protects supported Windows devices, leaving legacy versions of Windows and other devices that communicate with domain controllers using the Netlogon MS-NRPC protocol vulnerable to compromise.
Moreover, the initial patch does not prevent an attack exploiting Zerologon. Rather, it adds logging to detect non-secure RPC and a registry setting to disable non-secure RPC if there aren’t any devices using the protocol. The challenge for enterprise security teams is that this may break legacy applications if it is just turned off. Hence, even with the currently available patch, if an organization can’t disable the registry setting, they are still vulnerable.
How you can Detect and Defend Against Abuse of Zerologon
From an endpoint perspective, this attack can be challenging to detect as the attacker is essentially authenticating to the domain in a manner resembling legitimate user/account behavior. In addition, the primary attack vector is at the network level, as opposed to through interaction with a host’s filesystem. As a result, addressing the flaw directly is ‘out-of-scope’ for many traditional endpoint security solutions.
In contrast, DataEndure takes a vector agnostic approach that leverages some unique, proprietary innovations to enable detection of this exploit on the endpoint. Our security team has been running numerous tests across various available frameworks and during this analysis, we observed that this attack, while successful, will also be highly noticeable on the domain controller as the attack negatively affects communications with the domain controller in numerous ways.
As a result, DataEndure’s EDRaaS platform is able to both detect initial exploitation as well as the post-exploitation attacks on a targeted system. While this attack starts from the network, the endpoint is fully aware of the incoming traffic attempts.
The Netlogon Remote Protocol is used to maintain domain relationships from the members of a domain to the domain controller (DC), among DCs for a domain, and between DCs across domains. By monitoring the authentication attempts made within the system, both locally and remotely, and by passing them through our behavioral AI engine, we are able to distinguish the exploitation attempts from benign authentication attempts.
When a suspicious activity is detected, a threat is raised allowing for an in-context alert to be shown in the management console.
Do you Need Protection from Zerologon? (Or whatever comes next?)
For those customers already on DataEndure’s EDRaaS – this critical detection is already available and working on your behalf. You are covered. DataEndure’s behavioral AI approach to detection is highly effective and vector agnostic; and our team is constantly innovating to keep you ahead of the adversary.
If you are not already a DataEndure customer, find out more about how we can help get your business protected in short order.