Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472

ronjor · Sep 14, 2020

Original release date: September 14, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.
CISA encourages users and administrators to review Microsoft’s August Security Advisory for CVE-2020-1472 and Article for more information and apply the necessary updates.
Click to expand...

mood · Sep 20, 2020

CERT/CC Releases Information on Critical Vulnerability in Microsoft Windows Netlogon Remote Protocol
September 17, 2020
https://us-cert.cisa.gov/ncas/curre...-information-critical-vulnerability-microsoft

The CERT Coordination Center (CERT/CC) has released information on CVE-2020-1472, a vulnerability affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker could exploit this vulnerability to obtain Active Directory domain administrator access. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors.

The Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the following resources and apply the necessary updates and workaround.
Click to expand...

CERT/CC Vulnerability Note VU#490028

Microsoft’s Security Advisory for CVE-2020-1472

Microsoft’s guidance on How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

Click to expand...

A Proof of Concept Exploit for the “Windows Zerologon” Flaw is Out

highly critical flaw that received a severity level of 10.0 in the CVSS scale
Click to expand...

mood · Sep 19, 2020

CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol
September 18, 2020
https://us-cert.cisa.gov/ncas/curre...mergency-directive-microsoft-windows-netlogon

The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive (ED) 20-04 addressing a critical vulnerability— CVE-2020-1472—affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker with network access to a domain controller could exploit this vulnerability to compromise all Active Directory identity services.

Earlier this month, exploit code for this vulnerability was publicly released. Given the nature of the exploit and documented adversary behavior, CISA assumes active exploitation of this vulnerability is occurring in the wild. ED 20-04 applies to Executive Branch departments and agencies; however, CISA strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible. [...]
Click to expand...

mood · Sep 22, 2020

ACSC
Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
September 22, 2020
https://www.cyber.gov.au/acsc/view-...evation-privilege-vulnerability-cve-2020-1472

The ACSC is aware of a recently disclosed critical vulnerability in Microsoft Active Directory Domain Controller systems that allows unauthenticated attackers to trivially access administrative credentials.

Alert status: HIGH
Proof of concept code to exploit the vulnerability is now freely available online and has been integrated into common exploit frameworks and tools.
CVE-2020-1472 also affects several other products not previously covered by the advisory, including, but not limited to:

• Samba implementations on Linux systems, prior to v4.8. This includes all Linux distributions that utilise the official Samba packages.
In most cases, CVE-2020-1472 is a privilege escalation vulnerability. However, adversaries may be able exploit the vulnerability for initial access if a Domain Controller is internet exposed.
Click to expand...

ronjor · Sep 24, 2020

Unpatched Domain Controllers Remain Vulnerable to Netlogon Vulnerability, CVE-2020-1472

Original release date: September 24, 2020
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. Applying patches from Microsoft’s August 2020 Security Advisory for CVE-2020-1472 can prevent exploitation of this vulnerability.
Click to expand...

CISA has released a patch validation script to detect unpatched Microsoft domain controllers. CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable. Review the following resources for more information:
Click to expand...

mood · Sep 29, 2020

Microsoft clarifies patch confusion for Windows Zerologon flaw
September 29, 2020
https://www.bleepingcomputer.com/ne...s-patch-confusion-for-windows-zerologon-flaw/

Microsoft clarified the steps customers should take to make sure that their devices are protected against ongoing attacks using Windows Server Zerologon (CVE-2020-1472) exploits.

The company revised the advisory after customers found Microsoft's original guidance confusing and were unsure if applying the patch was enough to protect vulnerable Windows Server devices from attacks.
In a step-by-step approach, the updated advisory now explains the exact actions that administrators need to take to make sure that their environments are protected and outages are prevented in the event of an incoming attack designed to exploit servers that would otherwise be vulnerable to Zerologon exploits.

We have updated the KB article for CVE-2020-1472 to provide clarity on customers actions to ensure they are protected. See details here: https://t.co/l4MwY9DFvt
— Security Response (@msftsecresponse) September 28, 2020
Click to expand...

Ongoing Zerologon attacks
Last week, Microsoft warned admins to urgently apply security updates for Zerologon after discovering threat actors actively using CVE-2020-1472 exploits during attacks.

Microsoft Senior Threat Intelligence Analyst Kevin Beaumont confirmed that attacks started September 26th, with attackers successfully exploiting a vulnerable Active Directory server honeypot using a Zerologon exploit over the Internet.
"At 11:16 am UTC today (26th September 2020) somebody sent hundreds of login attempts matching the exploit chain, and then attempted to reset the domain computer password to blank (successfully, too)," Beaumont said. "This broke the domain controller for authentication."
Click to expand...

Yesterday, Cisco Talos security researchers also warned of "a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon."
Click to expand...

mood · Oct 9, 2020

Ransomware gang now using critical Windows flaw in attacks
October 9, 2020
https://www.bleepingcomputer.com/ne...g-now-using-critical-windows-flaw-in-attacks/

Microsoft is warning that cybercriminals have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks. The alert comes after the company noticed ongoing attacks from cyber-espionage group MuddyWater (SeedWorm) in the second half of September.
Fake updates and legit tools
Microsoft says that TA505, which it tracks as Chimborazo, deployed a campaign with fake software updates that connect to the threat actor’s command and control (C2) infrastructure.

The version of Mimikatz obtained this way includes exploit code for the ZeroLogon vulnerability (CVE-2020-1472). Over the past month, numerous researchers released proof–of–concept exploits for this flaw.
What Microsoft described in a short thread is a classic domain takeover attack, where ZeroLogon is a perfect fit
Click to expand...

Warnings released
Network admins received repeated warnings about the severity of the ZeroLogon vulnerability (maximum critical score 10/10) and urged to apply the current patch.
With exploit code that (domain admin privilege obtained in seconds) released since mid-September, threat actors moved quickly to incorporating it in their attacks.
Click to expand...

Minimalist · Oct 13, 2020

Election Systems Under Attack via Microsoft Zerologon Exploits

Cybercriminals are chaining Microsoft’s Zerologon flaw with other exploits in order to infiltrate government systems, putting election systems at risk, a new CISA and FBI advisory warns.
Click to expand...

https://threatpost.com/election-systems-attack-microsoft-zerologon/

mood · Oct 29, 2020

Microsoft Warns of Continued Exploitation of CVE-2020-1472
October 29, 2020
https://us-cert.cisa.gov/ncas/curre...ft-warns-continued-exploitation-cve-2020-1472

Microsoft has released a blog post on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks.

CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. CISA has released a patch validation script to detect unpatched Microsoft domain controllers. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.
Click to expand...

In the coming weeks and months, administrators should take follow-on actions that are described in guidance released by Microsoft to prepare for the second half of Microsoft’s Netlogon migration process, which is scheduled to conclude in February 2021.
Click to expand...

mood · Nov 30, 2020

Microsoft Defender for Identity now detects Zerologon attacks
November 30, 2020
https://www.bleepingcomputer.com/ne...r-for-identity-now-detects-zerologon-attacks/

Microsoft has added support for Zerologon exploitation detection to Microsoft Defender for Identity to allow Security Operations teams to detect on-premises attacks attempting to abuse this critical vulnerability.

Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution designed to leverage on-premises Active Directory signals to detect and analyze compromised identities, advanced threats, and malicious insider activity targeting an enrolled organization.

"Microsoft Defender for Identity can detect this vulnerability early on," Microsoft program manager Daniel Naim said. "It covers both the aspects of exploitation and traffic inspection of the Netlogon channel."
Click to expand...

mood · Jan 15, 2021

Microsoft Implements Windows Zerologon Flaw ‘Enforcement Mode’
Starting Feb. 9, Microsoft will enable Domain Controller “enforcement mode” by default to address CVE-2020-1472.
January 15, 2021
https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/

Microsoft is taking matters into its own hands when it comes to companies that haven’t yet updated their systems to address the critical Zerologon flaw. The tech giant will soon by default block vulnerable connections on devices that could be used to exploit the flaw.

Starting Feb. 9, Microsoft said it will enable domain controller “enforcement mode” by default, a measure that would help mitigate the threat.
Click to expand...

Domain Controller enforcement mode “will block vulnerable connections from non-compliant devices,” said Aanchal Gupta, VP of engineering with Microsoft in a Thursday post.

“DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.”
Click to expand...

Log in or Sign up

Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472

ronjor Global Moderator

mood Updates Team

mood Updates Team

mood Updates Team

ronjor Global Moderator

mood Updates Team

mood Updates Team

Minimalist Registered Member

mood Updates Team

mood Updates Team

mood Updates Team

Log in or Sign up

Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472

ronjor Global Moderator

mood Updates Team

mood Updates Team

mood Updates Team

ronjor Global Moderator

mood Updates Team

mood Updates Team

Minimalist Registered Member

mood Updates Team

mood Updates Team

mood Updates Team

Useful Searches