Skip to main content

The story of ZeroLogon

This is the story of a vulnerability that was brought about by the incorrect use of an encryption technique. After it was discovered by researchers, the vulnerability was patched and that should have been the end of the story. Unfortunately the patch caused problems of its own, which made it very unpopular. Cybercriminals seized the opportunity to use the vulnerability for their own purposes. This is the story of ZeroLogon.

What is ZeroLogon?

The ZeroLogon vulnerability was discovered by researchers at Secura and is listed in the Common Vulnerabilities and Exposures (CVE) database under CVE-2020-1472:

"An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'."

This vulnerability exploits a cryptographic flaw in Microsoft's Active Directory Netlogon Remote Protocol (MS-NRPC), which allows users to log on to servers that are using NTLM (NT LAN Manager). Researchers explained that the issue stems from the incorrect use of AES-CFB8 encryption, which requires randomly generated initialization vectors for each authentication message. Sadly, Windows didn't take this requirement into consideration. An attacker can use zeros for the initialization vector, allowing them to take over a domain controller in a matter of seconds.

How bad is this vulnerability?

Very bad, is the short answer. ZeroLogon has been successfully weaponized by malware authors, who use it for the lateral infection of corporate endpoints. The sophisticated Trickbot Trojan uses ZeroLogon, which means that it can spread across a vulnerable network easily. Ryuk ransomware has also been seen using the ZeroLogon vulnerability.

Is there a patch?

Yes, but there's a "but". The vulnerability was actually patched in August 2020, and it wasn't until a researcher published a report about the vulnerability in September that we started to see it used in malicious activity.

In late October, Microsoft warned that threat actors were actively exploiting systems that were unpatched against ZeroLogon privilege escalation.

In November Microsoft also added detection rules to Microsoft Defender to "detect adversaries as they try to exploit this vulnerability against your domain controllers."

The general advice is to use Secure RPC to prevent these attacks. Secure RPC is an authentication method that authenticates both the host and the user who is making a request for a service. Secure RPC uses the Diffie-Hellman authentication mechanism, which uses DES encryption rather than AES-CFB8.

Why isn't everything patched against ZeroLogon by now?

The problem with the patch is that it is not enough to update the server side (Domain Controller), because clients also need to be updated for the protocol to work. And even though Microsoft took care to issue patches for Windows devices, it didn't provide a solution for legacy operating systems that are no longer supported, or for third-party products. This means that enforcing Secure RPC may break operations for these incompatible systems.

So, what's next?

Now, Microsoft has announced that it will enforce the use of Secure RPC .

"beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default.  This will block vulnerable connections from non-compliant devices.  DC enforcement mode requires that all Windows and non-Windows devices use Secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device."

Having read that you might be thinking: "But you said it might break incompatible systems!" True, so Microsoft has made a list of actions that will result in a detailed update plan.

The update plan outlined by Microsoft includes the following actions:

  • UPDATE your Domain Controllers with an update released August 11, 2020 or later.
  • FIND which devices are making vulnerable connections by monitoring event logs.
  • ADDRESS non-compliant devices making vulnerable connections.
  • ENABLE enforcement mode to address CVE-2020-1472 in your environment.

This probably means there is still no happy ending to this story. Addressing the non-complaint devices will not be as easy at it sounds, in many cases. In many cases it will end with sysadmins making an exception for such a device. It is advisable however to at least try and follow the steps. Because in the end it will pay off to remove (or at least limit) the vulnerable devices and machines on your network. The cybercriminals will not let go of this treasure so easily.

Stay safe, everyone!

The post The story of ZeroLogon appeared first on Malwarebytes Labs.



from Malwarebytes Labs full article here

Popular posts from this blog

Malwarebytes CrackMe 2: contest summary

About three weeks ago, we published our second CrackMe . It triggered a lot of interest, and we got many high-quality write-ups. Choosing the winner was really difficult! In this post, I am going to summarize the contest and comment on the received submissions. CrackMe 2 challenge The topic of the challenge was Python, and its goal was to teach how the Python scripts can be packaged and integrated with native executables. The involved Python script was not obfuscated, and the user was supposed to adapt it for the purpose of finding the solution. The CrackMe was made of three components, cooperating with each other: a Python script (converted to EXE with the help of PyInstaller) a native DLL, loaded with the help of the above script a Python script unpacked by the DLL and injected into Actxproxy.dll In the first level, the user was supposed to find a valid PIN to decode a URL, from which the next level was downloaded. The next level was a native DLL that was inject...
Read more

BlackArch Linux - Penetration Testing Distribution

BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. It contains over 1800 security and hacking tools. Here is the complete list of tools in the BlackArch Linux: 0d1n : Web security tool to make fuzzing at HTTP inputs, made in C with libCurl. 0trace :  A hop enumeration tool. 3proxy : Tiny free proxy server. 3proxy-win32 : Tiny free proxy server. 42zip : Recursive Zip archive bomb. a2sv : Auto Scanning to SSL Vulnerability. abcd : ActionScript ByteCode Disassembler. acccheck : A password dictionary attack tool that targets windows authentication via the SMB protocol. ace : Automated Corporate Enumerator. A simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface ad-ldap-enum : A LDAP based Active Directory user and grou...
Read more

2018: The year of the data breach tsunami

It's tough to remember all of the data breaches that happened in 2018. But when you look at the largest and most impactful ones that were reported throughout the year, it paints a grim picture about the state of data security today. The consequences of major companies leaking sensitive data are many. For consumers, it represents a loss of privacy, potential identity theft, and countless hours repairing the damage to devices. And it's costly for companies, too, in the form of bad press and the resulting damage to their reputation, as well as time and money spent to remediate the breach and ensure customers' data is well secured in the future. But despite the well-known costs of data breaches, the problem of leaky data isn't getting better. While there were a greater number of breaches in 2017 , 2018 saw breaches on a more massive scale and from marquee players, such as Facebook, Under Armor, Quora, and Panera Bread. Cybercriminals stole sensitive personally identifia...
Read more