Thomas Leduc

If there was ever a time to re-examine the security of your Active Directory, it’s now.

In response to rising concerns about the notorious Zerologon vulnerability (CVE-2020-1472), the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an “Emergency Directive” to federal agencies to apply Microsoft’s patch immediately. Enterprises would be smart to follow suit.

“Zerologon” severe privilege escalation vulnerability

In the past week, exploit code for the severe privilege escalation vulnerability dubbed “Zerologon” has surfaced online. The vulnerability resides in the Netlogon Remote Protocol. By sending a number of Netlogon messages with various fields filled with zeros, the attacker can change the password for the domain controller (DC) stored in AD. In effect, the attack allows any threat actor on the local network to elevate their privileges and compromise the Windows domain without any user credentials. With Zerologon, attackers can steal domain admin credentials and restore the original domain controller password, facilitating all manner of attacks, from ransomware to data theft.

Discovered by researchers at Secura, the bug has a CVSS score of 10 out of 10, the most severe ranking. Multiple proof-of-concept exploits for Zerologon were already released into the wild. Zerologon has also been operationalized in an updated release of the Mimikatz tool.

Have you patched yet?

With exploits circulating, the pressure is on to patch as soon as possible. This issue is being addressed in two parts. In August, Microsoft released a security update that changes the Netlogon protocol to protect Windows devices by default, log events for non-compliant device discovery, and enable protection for all domain-joined devices with explicit exceptions. A second update is slated to come in the first quarter of 2021. It will enforce secure remote procedure call (RPC) usage for machine accounts on non-Windows based systems unless permitted by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.

It should be noted that after deploying the August update, patched DCs will log event ID 5829 in the system event log whenever a vulnerable Netlogon secure channel connection is allowed. Microsoft advises organizations to address these events before the DC enforcement mode is configured or before the update in 2021 to avoid outages. It’s also crucial that all DCs, even read-only domain controllers, be updated. The patching process isn’t always easy, often plagued with delays due to the sheer number of applications and systems in IT environments and the general fear of disrupting operations. Still, any organization leveraging Active Directory should begin identifying vulnerable systems now and prioritize patching.

Be prepared for an influx of new attacks targeting Active Directory

After rigorously patching, it’s time to acknowledge the influx of new attacks exploiting Active Directory. Understand your weak points and focus on hardening AD. Vulnerability and configuration assessments are vital parts of raising the bar for attackers targeting AD. Likewise, continually monitoring AD changes that bypass security logs and enabling autonomous rollback of suspicious modifications that are too risky to wait for human intervention will stop lateral movement and advanced persistent threats. Automated monitoring, vulnerability assessment, and remediation are vital parts of keeping your AD environment safe.

In the event of a cyber disaster, taking regular backups and storing copies offline will be the difference between a brief outage and extended downtime if AD is compromised. Otherwise, network-accessible backups can easily be destroyed and increase the chances of payout from the victim. Organizations should always have sufficient backups to perform a full forest recovery. Finally, avoid bare-metal and system state restores when recovering from a cyberattack, as these approaches carry severe underlying issues, including the likely possibility of malware re-infection.

As Zerologon demonstrates, it’s time for organizations to take a hard look at the security posture of Active Directory. A motivated attacker will always find a way in one way or another. Don’t let AD be a soft target.