Through the recently-emerged critical vulnerability, Zerologon (CVE-2020-1472), attackers can impersonate the identity of any computer on a network, bypassing authentication and tricking the domain controller or domain PCs into rapidly escalating their privileges. Rated at the maximum rank of ‘10’ on the CVSS scale, this vulnerability appears to affect all currently-supported versions of the Windows Server OS (2008 R2 and later). After successful execution of a Zerologon attack, the intruder can disable security features, change passwords, and take over the system. This all happens lightning-fast – an expert can conduct the entire attack in about three seconds. According to Trend Micro, “weaponized proof-of-concept code” is already freely available, meaning that volatile, complex exploits are likely in the near future (or have already been leveraged).
Learn more about Zerologon here.
Standard Mitigation and Prevention
- Patch all affected systems with Microsoft’s latest security update.
While patching requires special preparation and scheduling for any shop floor asset, naturally this is much more manageable at small scale. When running an operation with a massive number of assets, this can be extremely challenging. This is especially true for Active Directory (AD) servers – patching an AD server is messy work because of the necessary certification and authentication. The process is not just one big job, it’s many connected big jobs, certainly requiring patch management. Often a large organization will be running redundant or regional AD servers which will also require attention.
- Ensure physical and remote network access are both well-protected.
Current evidence shows that hackers cannot directly target the domain controller or domain PCs with this exploit while acting remotely. Instead, they must probe or scan a computer on your network, and then use the information gained to activate the exploit against the domain controller or domain PC using the Netlogon service. This means better-built security on your network – network segmentation, for example – significantly increases your safety from an attack like Zerologon.
ICS & Large-Scale Mitigation and Prevention
Fortunately, this vulnerability is easily prevented through the use of virtual patch technology. If you’ve deployed TXOne Networks’ EdgeFire or EdgeIPS, all you need is this rule: 1137620 RPC Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472). To get this rule operational within your deployed asset, all you need to do is download our latest signature update and apply it. By applying this rule, EdgeFire and EdgeIPS can smoothly protect against Zerologon, keeping your system from being taken over and keeping your production line running.
Our researchers have provided these GIFs showing what Zerologon looks like in action.
First, here’s what it looks like without protection from our EdgeIPS Pro:
- The attacker uses CVE-2020-1472 to attack the AD server, setting netlogon as an empty password (CVE-2020-1472).
- The attacker uses the empty password to dump credentials from the AD server via netlogon.
- The attacker logs into the AD server using the administrator’s credentials.
- The attacker now has full control of the AD server.
This is what it looks like if our EdgeIPS Pro is deployed:
With EdgeIPS Pro deployed, the attacker is blocked at step 1, unable to attack the AD server or set netlogon with an empty password.