Hackers are actively exploiting Windows Netlogon vulnerability, NCSC warns

The National Cyber Security Centre has advised organisations to take immediate steps to mitigate a critical vulnerability in Microsoft Windows Netlogon Remote Protocol that, if exploited, allows an attacker to hijack a Domain Admin account and compromise the domain controller.

Microsoft Windows Netlogon is a Windows Server process that authenticates domain controllers and other users within a domain. It is part of a domain's security hierarchy along with the Workstation service and the Server Message Block protocol, enabling secure communications across all nodes of a network.

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organisations about a critical vulnerability — CVE-2020-1472— plaguing the Netlogon Remote Protocol. CISA said the vulnerability is being actively exploited in the wild after the exploit code was released publicly in early September.

According to the National Cyber Security Centre, the exploit, dubbed Zerologon, "allows an attacker with network access to a Domain Controller to impersonate any domain user and change their account password. This includes the ability to change the Domain Admin account password, leading to compromise of the Domain Controller."

It added that cyber criminals have updated publicly available hacking tools such as Mimikatz and Metasploit to exploit the privilege vulnerability and all Windows Server versions not patched with the 11/08/2020 update are exposed to Zerologon attacks.

In order to mitigate the threat, organisations need to ensure that all Domain Controllers are patched via Microsoft's August 2020 security update. Once this is done, they will need to enable Domain Controllers (DC) enforcement mode via a registry key or by applying the 9 February 2021 security update when it is available.

There are also a couple of ways organisations can detect if hackers have exploited the Netlogon Remote Protocol vulnerability to target their Domain Controller accounts. Once the exploit is put into action, it leaves a couple of tell-tale signs such as Windows Event ID 4742 ‘A computer account was changed’ and Windows Event ID 4672 ‘Special privileges assigned to new logon’.

The Zerologon exploit can also be detected via the following rules:

Splunk Attack Range: https://www.splunk.com/en_us/blog/security/detecting-cve-2020-1472-using-splunk-attack-range.html

YARA rule: https://go.cynet.com/hubfs/rule%20Zerologon.yara

SNORT rule: https://gist.github.com/silence-is-best/435ddb388f872b1a2e332b6239e9150b

Sigma rules: https://blog.zsec.uk/zerologon-attacking-defending/#detection-response-monitoring-for-attacks

"The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of the Zerologon exploit, the most important aspect is to install the latest patches as soon as practicable," NCSC added.

Read More: Microsoft dismantles Necurs botnet that targeted 9m devices since 2012