Becoming Domain Admin Made Easy ZeroLogon CVE-2020-1472

By Mitchell Hurd, Lead Solution Architect – Cybersecurity

A very significant new vulnerability in Windows Server was disclosed on August 11, 2020 by Microsoft and it’s something you should be aware of right now. Anyone on your network with the right bit of code can become Domain Admin with one click. If that sounds scary, you read it right – it is very scary! For most organizations once you have Domain Admin privileges you essentially have the keys to the kingdom. In fact, this particular vulnerability is so scary that it was assigned a CVSS score of 10 out of 10, which is as high as it gets.

The Scope Of The Vulnerability

The vulnerability affects all current versions of the Windows Server operating system, has been nicknamed ZeroLogon, and is assigned the tracking number CVE-2020-1472. This new vulnerability can allow a device on the network, with no user credentials or privileges, to completely take over an Active Directory Domain Controller and steal Domain Admin credentials by exploiting a flaw in Windows Netlogon. This exploit requires no additional setup or positioning, such as man-in-the-middle, basically any Domain Controller that can be reached on the network is vulnerable. This type of privilege escalation is extremely powerful, especially since it is completely unauthenticated and does not require any user credentials. Tricking users into clicking on a phishing link is relatively easy, but even after doing so, it typically takes weeks or months for a cybercriminal to escalate privileges to the level this vulnerability enables right away. Unfortunately, this instant escalation to the highest privilege level speeds up the cyber-attack lifecycle significantly.

This Is A Real Threat, Act Now!

For example: John in Sales (sorry John) clicks a phishing link and now the computer provides Domain Admin access on the network to a cybercriminal. It is also now incredibly easy for a disgruntled employee to steal company data from a fileshare they do not have access to. The employee can now become a Domain Admin and access whatever files they want. There are already several proof-of-concept scripts available online, so this attack is not just theoretical, it is available to anyone to find with a few online searches. Unfortunately, I also expect ransomware developers to integrate this exploit into future versions of their software to create even more powerful and effective ransomware attacks.

How can you protect yourself? Utilize continuous vulnerability scanning solutions from companies like Tenable, which we blogged about in July of 2019 and patch your windows servers, especially your domain controllers. Microsoft has released security updates that address this exploit on all currently supported Windows Server platforms, so run and install Microsoft Update on all of your servers today if you have not already done so. Demonstrating just how serious this issue is, Microsoft released a patch for Windows Server 2008 R2 even though they officially ended support for it in January of 2020! Security solution providers have released updates to look for and block an exploit attempt using this vulnerability, so be sure to update those systems as well.

The Journey To A More Secure Business

Dasher has been a CIS SecureSuite member for several years now and we strongly recommend to our clients to follow the guidelines setup by the Center for Internet Security. Dasher implements the 20 CIS controls for our clients, because the controls provide a recipe book that companies can follow to enable our clients to become more secure. For example, control number 3 is continuous vulnerability management and control number 4 is controlled use of administrator privileges – both of which are critical to addressing the ZeroLogon vulnerability. Beyond patching your vulnerable systems, treat this as another reminder to examine your organizations overall security strategy now. This vulnerability highlights that organizations that have been relying on account privilege control alone to decide who gets access to what resource on the network should be looking at other ways to strengthen their security posture. Perhaps adopting a Zero Trust architecture is another thing to think about. We blogged about Zero Trust in January of 2019 and then again in July 2020.

While it still important to have privileged account management systems and processes in place, and implement the principle of least privilege wherever you can, this exploit clearly shows that additional controls and adopting a defense-in-depth approach is critical to a comprehensive security program. Vulnerability scanning and Patch management are critical, and all servers and IT infrastructure should receive critical updates in a timely fashion. Use Multi-Factor Authentication to protect your accounts and server access wherever you can. Segment and protect devices and servers at the network level and look into systems that will help you achieve micro-segmentation. And finally, visibility of what is on your network is critical so you can “see” what is happening and have logs that keep track of the who/what/when/where of everyone and everything that is on your network and have automated systems looking for suspicious activity. It is so critical that CIS Controls 1 and 2 address the fact you need to have inventories of all the hardware and software that are on your network. Start there!

Let Dasher Guide You On Your Cybersecurity Journey

If you would like to discuss how Dasher can help you assess, architect, implement and manage a more cybersecure enterprise, or would just like to talk about cybersecurity with our engineering team, feel free to reach out via our Contact Us page.