Microsoft warns that hackers were exploiting the Zerologon vulnerability it patched a few weeks ago to carry out cyber attacks. The bug allows hackers to remotely control a Windows domain by compromising the Domain Controller. The US Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (DHS-CISA) says the bug exposed government systems to an “unacceptable risk” of cyber attacks. Consequently, CISA issued an emergency directive to federal agencies to patch their domain controllers within three days or disconnect them from federal networks. Microsoft also advised customers to immediately apply the CVE-2020-1472 security update.
Zerologon vulnerability details
Zerologon vulnerability allows hackers to execute cyber attacks on internet-facing Windows servers without requiring authentication credentials.
Microsoft says that the Zerologon vulnerability allows an attacker to connect to a domain controller using the Netlogon Remote Protocol (MS-NRPC). This protocol authenticates objects against a Windows Server domain controller. An attacker could forge an authentication token for specific Netlogon functionality and set the domain controller’s password to their choice. A flaw in the cryptographic algorithm of MS-NRPC allows this exploit to take place.
CISA says that Zerologon vulnerability could allow an attacker to access the Active Directory identity management services and control the entire network. The bug also affects the Samba file-sharing software.
A Dutch security firm, Secura BV, discovered the Zerologon vulnerability on September 14, 2020, as a proof of concept. According to the security firm’s description, Zerologon vulnerability is a low-hanging fruit, easily exploited by low-skilled threat actors, and is arguably the most serious discovered this year.
Microsoft delayed publishing the bug details to give system administrators enough time to patch their domain controllers. However, many organizations delayed updating their systems to ensure that legacy apps remained functional. This is because fixing the Zerologon vulnerability might cause authentication failure for some devices. Many organizations are also likely unaware that their windows domains are affected by Zerologon vulnerability.
Microsoft released the fix in stages, with Redmond releasing a Phase one update on August 2020 patch Tuesday shortly after the discovery. Phase 2, which involves the placement of domain controllers in enforcement mode, will be available in 2021.
Threat actors exploiting Zerologon vulnerability to carry cyber attacks
The tech giant now says it has detected Zerologon vulnerability exploitation in the wild, including by state-sponsored threat actors. Microsoft Security Intelligence said Iranian-backed hackers known as MERCURY or MuddyWatter, were using Zerologon vulnerability to carry out cyber attacks against organizations in the Middle East.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” MsftSecIntel tweeted on September 24, 2020.
MuddyWatter is a contractor for the Iranian government and works under the Islamic Revolutionary Guard Corps. The threat actor primarily carries cyber attacks against intergovernmental organizations, NGOs, human rights organizations, and humanitarian aid organizations.
The cyber attacks from the state-sponsored hackers started about one week after Microsoft released the bug information. The group exploited Zerologon vulnerability to carry out cyber attacks two weeks before Microsoft discovered any exploits in the wild.
The nature of Zerologon cyber attacks detected in the wild
Some attacks observed by Microsoft involve fake software updates communicating with command and control (C&C) infrastructure controlled by TA505, also known as Evil Corp. The group is responsible for various banking Trojans and ransomware attacks. Microsoft tracks the North Korean-affiliated group as CHIMBORAZO.
The malicious updates used in Netlogon cyber attacks override the Windows security user account control (UAC) and run malicious scripts through the Windows Script Host tool (wscript.exe). Threat actors use MSBuild.exe to compile Mimikatz with inbuilt Zerologon vulnerability. Microsoft anticipates that hackers will incorporate Zerologon vulnerability into the most common exploit kits currently in use. Zerologon vulnerability is a lucrative asset for ransomware gangs hoping to penetrate corporate networks.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, observed that “What’s interesting here is the use of multiple, common ‘white hat’ hacker tools, including Metasploit and Mimikatz. That tells me that the attackers, whatever their motivations or skill level, don’t appear to be that skilled.” He points out that expert hackers develop their custom tools with less noise and are hard to detect.
David “moose” Wolpoff, a career hacker and CTO at Randori, is optimistic that cyber attacks exploiting Zerologon vulnerability are less likely to succeed. He also points out that bugs such as Zerologon vulnerabilities have limited shelf-life.
“Zerologon is a serious bug that abuses unpatched domain controllers. The good news is that we don’t generally see domain controllers on the internet, and most NGOs I’ve met are well aware of the effects this type of bug can have on their practical security and are able to take swift action. In this case, patches for Zerologon have been out since August.”