Last September, the US Cybersecurity and Infrastructure Security Agency (CISA), which rarely issues directives about specific vulnerabilities, instructed government agencies that use Microsoft Windows Active Directory in their networks to patch all domain controllers immediately. The matter related to the vulnerability CVE-2020-1472 in the Netlogon protocol, dubbed Zerologon.
10.0 on the hazard scale
The Zerologon vulnerability stems from an unreliable cryptographic algorithm in the Netlogon authentication mechanism. It allows an intruder who has connected to the corporate network or infected a computer on it to attack, and ultimately take control of, a domain controller.
The vulnerability scores the CVSSv3 scale’s maximum value, 10.0. Microsoft issued a patch back in August, but it was an in-depth study by Dutch cybersecurity firm Secura that drew widespread attention to Zerologon and how it can be exploited. Within hours of the document’s release, researchers began publishing their own proofs of concept (PoC). Within a few days, at least four samples of open-source code were available on GitHub, demonstrating how the vulnerability could be actually used.
Zerologon in real attacks
Of course, the publicly available PoCs attracted the attention not only of infosec experts, but also of cybercriminals — who only had to cut and paste the code into their malware. For example, in early October, Microsoft reported attempts by the TA505 group to exploit Zerologon. The cybercriminals disguised the malware as a software update and compiled attack tools on infected computers to exploit the vulnerability.
Another group, the one behind the Ryuk ransomware, used Zerologon to infect a company’s entire local network in just five hours. Having sent an employee a standard phishing e-mail, the gang waited for it to be clicked and the computer infected, and then used Zerologon to move laterally through the network, distributing a ransomware executable to all servers and workstations.
Why Zerologon is dangerous
It might seem that exploiting Zerologon requires an attack on a domain controller from inside the local network. In fact, however, cybercriminals have long been able to surmount this obstacle using various methods for hijacking a computer in the network. These include the use of phishing, supply-chain attacks, and even unattended network jacks in office areas for visitors. An additional danger comes from remote connections (which almost all companies use these days) — especially if employees are able to connect to corporate resources from their own devices.
The main problem with Zerologon (and other, hypothetical vulnerabilities of this kind) is that its exploitation looks like a standard data exchange between a computer in the network and a domain controller; only the unusual intensity of the exchange will ever arouse suspicion. As such, companies that rely solely on endpoint security solutions have little chance of detecting such attacks.
The task of handling anomalies of this kind is best left to specialized services such as Kaspersky Threat Hunting. It is in fact an external security center with in-depth knowledge of cybercriminal tactics, providing detailed practical recommendations to the client.
As soon as the details of Zerologon were published, Kaspersky SOC experts began tracking attempts to exploit the vulnerability within the Threat Hunting service, enabling the timely detection of adversarial activity which allows for effective incident response.
To learn more about the solution, please see the Kaspersky Threat Hunting page.