On Monday September 14th, 2020 the Cybersecurity & Infrastructure Security Agency (CISA) released a critical cybersecurity alert highlighting publicly available code to exploit a vulnerability in Microsoft’s Netlogon Remote Protocol (MS-NRPC). Utilizing this elevation of privilege vulnerability, an attacker could establish a Netlogon secure channel connection to an Active Directory domain controller and become the domain administrator. CISA is warning that unpatched systems will be an attractive target for malicious actors and encourages users and administrators to review Microsoft’s August Security Advisory for CVE-2020-1472 and Article for more information, and apply the necessary updates. Dutch security firm Secura B.V. disclosed how this vulnerability could be used to compromise a Domain Controller and allow credentials to be stolen, dubbing the exploit Zerologon. 

The Sky’s the Limit

There are two factors that make this vulnerability uniquely critical: 

1. The attack does not rely on having any domain credentials, only that local access is present and you can communicate with a domain controller
2. A successful compromise can lead to Domain Administrator rights. 

To further raise eyebrows, public exploit code is now available, lowering the bar of skill necessary to exploit the flaw, and hence the CISA alert.

Once a bad actor has exploited this vulnerability and has Domain Administrator rights, they can wreak havoc by shutting down operations and further compromising the environment with the widespread deployment of ransomware or malware in general. Such powerful access will also provide direct access to files and other apps storing sensitive information that can be exfiltrated and/or used to bolster ransom demands. 

The Patch Is Useless If You Can’t Find Your Domain Controllers

In a large environment, domain controllers are often distributed and not easily seen by security teams. They may reside not only in various data centers around the world, but in some cases, they may be locally managed and unknown to the security team. This will typically result in the asset failing to be patched at which point it becomes a ticking time bomb. The critical nature of the Zerologon exploit makes finding and patching domain controllers a top priority. So much so, that CISA has issued a follow-on emergency directive requiring federal agencies to apply patches by 11:59P EDT, Monday, September 21, 2020. 

You Found Them. You Patched Them. Now What?

A successfully executed attack of this nature in a large, complex environment, could not only have compromised the domain but also distributed subsequent attacks to all connected assets. This would disrupt non-traditional, unmanaged assets as well. And that’s when you need to go back to your day-job; monitoring the behavior of all your devices against an accurate, up-to-date, asset inventory. It is basically a matter of chasing “fire and smoke”, whether it comes in the form of business users/customers reporting outages, or other technical telemetry data pointing to “something being wrong.”

I have written extensively of late about the importance of Cybersecurity Asset Management as part of a strong security program and this exploit is exactly the type of scenario that speaks to why it’s so important. 

It is essential for organizations then, to find vulnerable devices such as domain controllers so that they may be patched and then quickly determine if other systems may have already been affected. What can you do? Immediately take action utilizing the following steps:

1. Confirm you have located every AD domain controller in your environment
2. Immediately deploy the recommended patches from Microsoft
3. Continuously monitor and look for anomalous behavior

Armis Can Help 

The Armis platform can help you quickly find domain controllers or other devices vulnerable to CVE-2020-1472 in your environment. By using the Armis agentless device security platform, and its powerful Armis Standard Query (ASQ) tool, you can quickly search for and find these devices and can take the action necessary to prevent their compromise. Once the immediate threat is identified and addressed, the Armis platform continues performing real-time vulnerability and behavioral analyses, monitoring all devices in your environment to detect malicious behavior.

For more information and to see a full demonstration of Armis, please visit www.armis.com/demo.