Have you patched against ZeroLogon? If not do it now…!
For those of you that have not heard about ZeroLogon or have not yet done anything about it you need to patch this critical Windows Server flaw now otherwise attackers could gain domain admin control putting your organization at risk.
Last month a vulnerability was discovered in a protocol used for connections to a Microsoft Windows domain controller on an internal Windows based network. Keeping things simple, if someone has access to a Windows domain controller with admin credentials, they’ve won, they have access to everything, putting your organization in a very vulnerable position.
What is Zerologon?
This affected protocol is known as NetLogon Remote Protocol (MS-NRPC) and is designed to establish a secure channel for communication between domain controllers and other Microsoft Windows servers and desktops. The authentication mechanism contains a flaw that allows the encrypted communication to be predicted, so that a password for a Windows machine can be set to null or empty. This flaw then allows an attacker to impersonate any computer and obtain credentials for accounts with domain admin level permissions.
This exploit is being classed as critical with threat actors actively using public exploits against this vulnerability with little to no knowledge required. The flaw identified is present in Windows Server 2008 through to 2019 therefore affects a vast portion of Microsoft’s current server offerings. A significant spike in exploitation attempts have been reported in the last few days.
The Zerologon patch
A patch for this vulnerability was released in August however a vast amount of companies have not yet deployed. Microsoft has advised the following four steps to ensure this vulnerability is patched:
- UPDATE your Domain Controllers with an update released August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment. (This mode will be enforced in all updates from February 2021)
Further information can be found here
Ensuring your systems are up to date with the latest vendor patches will reduce the chances of your organization being attacked. Whilst there is no immediate fix for zero day exploits, ensuring a timely and consistent patch policy is in force within your organization is a great way to ensure you’re keeping secure.
If you are concerned that your organization may be at risk or you would like to discuss any support against cyber security threats please get in touch.