A critical CVSS:10 vulnerability (CVE-2020-1472) in the Microsoft Netlogon process was patched in the August patch cycle, but details were not made public until earlier this week (14th September).
Since then Redscan Labs has been researching ways that this vulnerability is being exploited by attackers and has released a Zerologon detection tool to help identify malicious activity.
What is Zerologon?
Nicknamed “Zerologon”, the vulnerability enables an attacker with domain access to perform the following actions:
- Impersonate any machine on the domain, which includes the domain controller itself, thereby enabling full domain compromise.
- Change passwords on the domain for all connected machines.
- Disable Netlogon security features, allowing easy access for the attacker back to the domain.
This is an extremely critical vulnerability and the risks that it presents should not be underestimated.
Watch the video below for a short overview of the vulnerability.
How does the Zerologon vulnerability work?
The vulnerability results from a flaw in the Netlogon protocol’s implementation of AES-CFB8 encryption. The cypher suite denotes that an initialisation vector (used to inhibit inference of a key being reused when inspecting messages) should be unique and random for each message encrypted with the specified key.
However, as George Glass, Head of Threat Intelligence at Redscan explains:
“The protocol uses a fixed initialisation vector of all zeros which does not adhere to the AES-CFB8 security standard. This means that one in every 256 keys encrypting plaintext will consist of all zeros and will therefore result in an encrypted message that is also all zeros.
“This same method can then be used to infer client credentials for any machine account. Because the credentials are not locked after failed logon attempts, it is possible to iterate through all 256 permutations until a correct all zero challenge gives the valid key. In practice this method takes only about three seconds to perform!”
Once an attacker has a valid key, they can relatively simply authenticate a machine by spoofing a call to the server to authenticate to it and then change account passwords on the Active Directory server.
It is possible to perform this attack against a Domain Admin account and thus achieve full domain compromise.
What are the risks of Zerologon?
An adversary must first gain a foothold onto a network via some other means, before being able to exploit this vulnerability. It is expected that malware variants such as ZLoader, TrickBot and QBot, typically used by ransomware groups, will now engineer their own exploits for this vulnerability and use these exploits to obtain domain controller access automatically.
There are several Proof of Concept (POC) scripts now available on GitHub and a module has been added to the Mimikatz post-exploitation framework, allowing lower-skilled attackers access to tooling that can perform this exploit.
Golden Tickets can be gained from this exploit, potentially giving an attacker a foothold in the network indefinitely. This access can be abused in many different ways, and it is expected that this sort of access will go on sale in underground cybercrime forums in the near future.
George Glass, comments:
“If you believe you have been attacked in this way and an attacker may have a golden ticket, reset the kbrtgt password at least twice to invalidate the golden tickets.
“There is evidence that ransomware groups have started using the Zerologon attack to deploy ransomware more rapidly, as well as to monitor and hinder restoration efforts, including using the access to destroy backup devices and storage.
“Because of the very high privileges this attack can grant and the automated nature with which it can be run, any malware running on a domain joined machine could be leveraged to obtain a full domain compromise. We recommend that you operate under an assumed breach approach of the domain if you are operating equipment which has not been patched.
“This week we have seen a slowdown in Emotet spamming, which is usually indicative of changes being made to the malware. We hypothesise that the group could be preparing to add this exploit to their spreader functions as they did with the EternalBlue SMB1 exploit previously, which had such a devastating effect.”
What does your organisation need to do?
Patches have been released as part of Microsoft’s August patching cycle, so patch immediately.
The patch released by Microsoft requires Netlogon security to be mandatory, which kills the Zerologon attack. However, a fix for the core cypto vulnerability itself is not expected until February 2021. Domain Controllers present the highest risk and should therefore be targeted first for patching. However, all Windows Servers need to be patched to effectively mitigate this vulnerability.
How can you detect a Zerologon attack?
- Network logs containing NetLogon data can be intercepted and the brute force nature of the attack can be detected by looking for many operations calling NetrServerReqChallenge and NetrServerAuthenticate3. However, depending on the organisation this may be a noisy detection.
- Windows event logs can be used to detect the attack taking place:
– An anonymous logon performing Password Last Set – event 4742 is an indicator this attack has taken place.
– An attacker using DCSync to pull hashes domain credentials can be detected by looking for event ID 4662.
- We are currently developing ways that Endpoint Detection and Response (EDR) can be used to check for modifications to the machine account registry key HKLM\SECURITY\Policy\Secrets\$machine.ACC
Update 30th September 2020
To help determine whether your organisation has been compromised as a result of an attacker exploiting the vulnerability (even prior to a patch being installed), Redscan Labs has released a free Zerologon detection tool.
Zerologon Detector identifies attacks that have been both successful and unsuccessful in exploiting Zerologon by analysing Windows event logs for evidence of the flaw being exploited.
Learn more and install Zerologon Detector.