Monday 2 November 2020

Zerologon Bug – Know the Unknown | Mono-Live

Zerologon Bug

We have recently got warnings from Microsoft about a critical vulnerability about which they told in August. We know it as the "Zerologon bug,'' CVE-2020-1472. Now, it has spread in a wide range. Due to which the attackers can hack the database of a company. And they can also remotely control a company's domain.

The bug has affected Windows 2008 and other new updated versions of windows. According to Microsoft, the attackers take the help of the Netlogon Remote Protocol for setting up a secure channel connection with a domain of a company. CISA, known as Cybersecurity and Infrastructure Security Agency, assumes that it can help the attackers to access a network with a domain controller. Zerologon flaw enables hackers to know about the whole network and all Active Directory identity services connected with them.

Recently, CISA has issued an emergency directive in which they have ordered all federal civilian agencies. The identifier of the bug is CVE-2020-1472. Researchers have found a nasty bug in Windows Server which they gave the name 'Zerologon'.

The Active Directory domain controller code has earned a complete ten rating on the CVSS scale. It stands for Common Vulnerability Scoring System. But the details of the controller can never be revealed. It means that users and I.T. administrators are unable to know how dangerous the problem is.

Importance of the Zerologon Bug for the attackers:

The attackers always have a foothold inside the network using which they can target the specific domain with ease. Now, the attackers get help from the post-compromise exploits also. The exploits have become very valuable to the attackers in recent times. 

When they have got some of the previous data, they can easily hack the domains of any company. As soon as the employees click on any links or attachments in the email, the attackers will hack their domains and steal important data.

Using the Zerologon bug, the hackers can quickly get control of the Active Directory. Moreover, you can get free rein to control it.

How Zerologon Bug works:

The Zerologon exploits uses a string of zeros. The attackers send it via the email of any targeted company. When any employee of that company clicks on it, the attackers using the Netlogon protocol to hack the servers of the company's domain. 

But it depends on various tasks like they allow the users to log in. That's why the Administrators need to be concerned about their installing updates. The network components are susceptible. So, you need to be concerned about the updates always.

It is reported that this bug is the most hazardous one comparing to the previous ones. The worth value of it is a 10/10 CVSSv3 severity score. For Microsoft, patching the bug is not so easy a job. It is scheduled in such a way so that it can be run over in two phases. For the first one, Microsoft will help you to let you know about how to fix the first phase. 

 

Microsoft has done this and made the Netlogon security features mandatory. However, if you want to get a more effective patch, then you need to wait till February. The attack made by the hackers was so quick that it only took nearly three seconds or less than that for hacking the domain of the targeted company.

Take over a domain controller with a number of zeros:

People can get in-depth knowledge about the bug from the team at Secura B.V. that is a Dutch security firm. They have published a technical report from where you can know about the CVE-2020-1472. According to this report, we come to know that the bug is precious for its 10/10 CVSSv3 severity score.

It was the Secura experts who named this bug as Zerologon. According to these professionals, it has taken the benefit of a cryptographic algorithm. The attackers used this algorithm in the Netlogon authentication process. 

They use the bug to follow the Netlogon authentication method. It can hide the identity of any computer with ease on a network. Therefore, it will become easier for them to hide their real identity against the domain controller.

By following the Netlogon authentication process, they can disable security features with ease. With the help of the Netlogon authentication process, one can change the password of a computer on the domain controller's Active Directory. Usually, a database of a computer is connected with a domain and their passwords.

The reason why it is named Zerologon is that the hackers attack the database only by adding zero characters in specific Netlogon authentication parameters.

Take over a corporate network within three seconds:

For the beginners, they must need a foothold inside a network to hack the domain. They can't hack the Windows Servers that are not included in the arena of that specific company's network Or belong to the outside of the company's network. It just takes a few seconds to hack all the databases.

The bug can quickly attack anyone's computer of the targeted company and then spread the malware to all computers.

Patches available; more to come

Nowadays, big companies like Microsoft, need to modify their devices that are connected to corporate networks. Now the Netlogon security features become mandatory for this temporary patch in which process the Zerologon got disabled. It is also vital for all Netlogon authentications.

Recently, it has been decided to reschedule the bug for February 2021. People use this name Zerologon for its broad impact, severity, and benefits for attackers. Secura did not release any proof-of-concept code for a weaponized Zerologon attack. In addition to this, the company has also released a Python script instead of the previous script that you have got earlier.

Protecting devices against Zerologon Bug

Microsoft is trying to fix this bug problem in two-phase. During this time, Microsoft has updated the FAQs in its original documentation. This documentation can help you to identify further clarity. It is because a few users are there who found the documentation very confusing.

That's why Microsoft told its users to find out those devices that make vulnerable connections. For this, they said to their employees to monitor event logs, address non-compliant devices, etc. They also said to enable enforcement mode for managing CVE-2020-1472 in their environment.

Companies use Microsoft Defender for Identity, or Microsoft 365 Defender to detect the attackers who try to use the bug against their domain controllers. Microsoft Defender for Identity was known as Azure Advanced Threat Protection. Whereas Microsoft 365 Defender was known earlier as Microsoft Threat Protection. 

Moreover, the Microsoft company is the one that has taken the help of the Cybersecurity and Infrastructure Agency (CISA). They issued some local agencies to look into this matter step by step. Any company that has the Windows Server device needs to patch it for running the server smoothly. This process helps to avoid potential attacks that can steal your database also.

Conclusion:

Microsoft has recently informed its employees to update the domain controllers. And they also told them to find out those devices that are making vulnerable connections. The main focus of the attackers was to get a connection to the domain controller so that they become the domain admin with only one click.