Termed as Zerologon (CVE-2020-1472), the attacker exploits endpoint native tools to elevate privileges using the Netlogon vulnerability. Developed by researchers from Secura, it allows attackers to gain unauthenticated control of the Active Directory using Netlogon Remote Protocol (MS-NRPC) to connect to a domain controller and obtain domain administrator access.
The Netlogon Remote Procedure Call is an RPC interface available on Windows Domain Controller. It is used for various tasks related to user and machine authentication using the NT (New Technology) LM (LAN Manager) protocol.
This protocol does not use the same authentication scheme as other RPC services. Instead it uses a customized cryptographic protocol to allow a client (a domain-joined computer) and server (the domain controller) prove to each other that they both know a shared secret cipher.
The cryptographic protocol used is rather unorthodox and has not been put under much scrutiny (CVE-2019-1424). A study conducted last year showed that Netlogon calls were not being encrypted when a fallback SMB occurred while a session had already been established.
In the technical overview diagram below:
Image source: Secura CVE-2020-1472
Protection during solution rollout
Microsoft is addressing the vulnerability in a phased two-part rollout, with a patch already available for part 1. These updates address the vulnerability by modifying how Netlogon handles the usage of secure channels. The second phase of the Windows updates will become available in Q1-2021.
Bitdefender customers are already protected by our end-to-end GravityZone breach avoidance platform which deploys heuristic models to analyze the behavior of the message requests used to compromise the domain controller hosted on the Active Directory. It prevents the adversary from leveraging “living-off-the-land" tools to make system or environment level changes.
The following Bitdefender technologies identify this vulnerability early in the attack kill-chain:1. Identifying network exploits
Bitdefender Network Attack Defense quickly senses exploit attempts such as initial access, discovery, and credential access and prevents an array of attacks from lateral movement, web-service attacks, and traffic-level attacks to privacy breaches performed via phishing attacks to exfiltrate data.2. Advanced Anti-Malware Security
Patented machine learning combines security capabilities required to protect against both legacy and modern attacks using technologies including:
Behavior analytics coupled with event correlation allows for effective remediation actions including terminating the process and rolling back changes.3. Indicators of Risk
Bitdefender provides an Integrated, Centralized Endpoint Risk Analytics (ERA) module that provides comprehensive identification and remediation of many network and operating system risks at the endpoint level.
The indicators of risk are grouped into three major categories:
Patch Management creates a flexible and simplified workflow to support both automatic and manual patching for vulnerable applications.
Human Risk Analytics provides details about user behavior while preserving user autonomy to perform their jobs and retaining a measure of privacy for their actions.
If you are looking to secure your infrastructure, get a free, 90-day full product evaluation for GravityZone with our unique, limited time offer.
Bitdefender is a technology provider of choice, with 38% of cybersecurity vendors worldwide using one or more Bitdefender technologies. To maintain our high quality and accuracy of detection, Bitdefender remains committed to developing technologies in house, and to maintaining over 50% of its workforce in R&D teams.
Don’t miss out on exclusive content and exciting announcements!