Zerologon can wreak irreparable harm to your whole network in the time it takes you to read this sentence.
It sounds like a bad Hollywood film – the kind where the screen flashes up ‘PASSWORD’ on the screen in 10cm characters, the hero types in ‘aliehS0808’1 and gets into the system. Unfortunately it’s not fiction.
“If you have yet to install CVE-2020-1472 on your Windows servers, do so immediately” warns Dominic Bland of First Response. “It will protect you from the exploit known as Zerologon, which an attacker can use to take over a whole network in literally a few seconds.”
Zerologon takes advantage of an encryption vulnerability in the Netlogon Remote Protocol, establishing a secure (but illegal) channel connection to a domain controller.
At least this is how Microsoft described it, but out of an abundance of caution, they failed to tell the full story. In fact, according to Dutch researchers, the exploit is potentially lethal to a network.
For example, the relatively weak encryption in the Netlogon protocol means that an attacker can impersonate any computer on the network when connecting to the domain controller. Indeed, it can even impersonate a domain controller, change the real domain controller’s password, and thereby take control of the whole network.
“However, there is some good news,” says Bland. “At present, it seems that the bad guys can’t compromise your network from outside using Zerologon. To start the process, you need to be physically plugged into the network. However, it doesn’t stop a computer on the network from being compromised from outside in another way, and then it being used to implement the Zerologon exploit. The other good news is that Microsoft’s patch means that some Netlogon features which were being disabled by Zerologon are now mandatory, which stops the attacker from gaining a foothold.”
However, Microsoft will be adding another patch, scheduled for February 2021 to prevent any possible future workarounds of CVE-2020-1472 and it has been noted that this may break the authentication of some older or less compliant devices on some networks.
A Python script is available allowing network administrators to check domain controllers for vulnerability to the exploit. This is particularly pertinent as it now seems that a Zerologon attack can be ‘shrink-wrapped’ and ‘weaponised’ which could then be used as a stepping stone to launch a ransomware attack or other destructive activity. Even after the patch has been installed, it is recommended that the Security Operations Centre monitors for Event IDs 5827 through 5831, new event types which show when a node is refused connection to the network as a result of a now insecure attempt to use Netlogon.
Given the speed with which the exploit can be used by an attacker, and the severe damage it can cause, this vulnerability should be taken extremely seriously and preventative action should be taken as soon as possible. If you have questions regarding this or any other aspects of your enterprise IT’s security, please get in contact with us to arrange a conversation with one of our cybersecurity specialists.
1 “How did you do that?”
“Simple. His daughter’s name is Sheila, and her birthday’s August 8.”
“Wow, you’re smart!”
“No I’m not. He’s careless and stupid.”