Hackers are actively exploiting Windows Netlogon vulnerability, NCSC warns

Hackers are actively exploiting Windows Netlogon vulnerability, NCSC warns

Hackers are actively exploiting Windows Netlogon vulnerability, NCSC warns

The National Cyber Security Centre has advised organisations to take immediate steps to mitigate a critical vulnerability in Microsoft Windows Netlogon Remote Protocol that, if exploited, allows an attacker to hijack a Domain Admin account and compromise the domain controller.

Microsoft Windows Netlogon is a Windows Server process that authenticates domain controllers and other users within a domain. It is part of a domain's security hierarchy along with the Workstation service and the Server Message Block protocol, enabling secure communications across all nodes of a network.

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organisations about a critical vulnerability — CVE-2020-1472— plaguing the Netlogon Remote Protocol. CISA said the vulnerability is being actively exploited in the wild after the exploit code was released publicly in early September.

According to the National Cyber Security Centre, the exploit, dubbed Zerologon, "allows an attacker with network access to a Domain Controller to impersonate any domain user and change their account password. This includes the ability to change the Domain Admin account password, leading to compromise of the Domain Controller."

It added that cyber criminals have updated publicly available hacking tools such as Mimikatz and Metasploit to exploit the privilege vulnerability and all Windows Server versions not patched with the 11/08/2020 update are exposed to Zerologon attacks.

In order to mitigate the threat, organisations need to ensure that all Domain Controllers are patched via Microsoft's August 2020 security update. Once this is done, they will need to enable Domain Controllers (DC) enforcement mode via a registry key or by applying the 9 February 2021 security update when it is available.

There are also a couple of ways organisations can detect if hackers have exploited the Netlogon Remote Protocol vulnerability to target their Domain Controller accounts. Once the exploit is put into action, it leaves a couple of tell-tale signs such as Windows Event ID 4742 ‘A computer account was changed’ and Windows Event ID 4672 ‘Special privileges assigned to new logon’.

The Zerologon exploit can also be detected via the following rules:

Splunk Attack Range: https://www.splunk.com/en_us/blog/security/detecting-cve-2020-1472-using-splunk-attack-range.html

YARA rule: https://go.cynet.com/hubfs/rule%20Zerologon.yara

SNORT rule: https://gist.github.com/silence-is-best/435ddb388f872b1a2e332b6239e9150b

Sigma rules: https://blog.zsec.uk/zerologon-attacking-defending/#detection-response-monitoring-for-attacks

"The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of the Zerologon exploit, the most important aspect is to install the latest patches as soon as practicable," NCSC added.

Read More: Microsoft dismantles Necurs botnet that targeted 9m devices since 2012

Copyright Lyonsdown Limited 2021

Top Articles

It’s time to upgrade the supply chain attack rule book

How can infosec professionals critically reassess how they detect and quickly prevent inevitable supply chain attacks?

Driving eCommerce growth across Africa

Fraud prevention company Forter has partnered with payments technology provider Flutterwave to drive eCommerce growth across Africa and beyond.

Over 500,000 Huawei phones found infected with Joker malware

The Joker malware infiltrated over 500,000 Huawei phones via ten apps using which the malware communicates with a command and control server.

Related Articles