Data Guard 365 versus Zerologon

Recently, researchers have discovered more ways to operationalize the Zerologon vulnerability. Beyond just resetting the domain passwords, they discovered the capability to extract all domain passwords. This development increases the risk enterprises are exposed to.

For a successful attack, a hacker would first have to gain remote or physical access to a device on the same network as a domain controller, yet valid domain credentials and/or domain membership are not prerequisites to achieve this!

Since the vulnerability was exposed, exploit code has readily been found and CISA has stated that the vulnerability poses an “unacceptable risk” and requires “immediate and emergency action”.

Even though Microsoft has released an initial patch for Zerologon, they expect this is only the beginning of a phased rollout which will take at minimum the first quarter of 2021 to complete.  Currently, Microsoft’s advisory points out that the current update only protects supported Windows devices, leaving legacy versions of Windows and other devices that communicate with domain controllers using the Netlogon MS-NRPC protocol, vulnerable to compromise.

Furthermore, the initial patch does not prevent an attack exploiting Zerologon.  Instead, it adds logging to detect non-secure RPC and a registry setting to disable non-secure RPC if there aren’t any devices using the protocol.  The difficulty for enterprise security teams is that this may break legacy applications if it is merely turned off.  So even with the currently available patch, if an organization can’t disable the registry setting they are still vulnerable.

How to Detect and Defend Against Zerologon Abuse?

This attack can be difficult to detect from an endpoint perspective because the attacker is essentially authenticating to the domain in a manner resembling legitimate user/account behavior.  In addition, the primary attack vector is at the network level as opposed to interaction with a host’s filesystem.  One repercussion of many traditional endpoint security solutions is their inability to address the flaw directly as it is considered ‘out-of-scope’.

In contrast, Data Guard 365 researchers have taken a vector-agnostic approach that leverages some unique, proprietary innovations to enable detection of this exploit on the endpoint.  They have run numerous tests across various frameworks and observed that this attack, while successful, is also highly noticeable on the domain controller since the attack negatively affects communications with the domain controller in a number of ways.  Data Guard 365’s platform both detects initial exploitation as well as post-exploitation attacks on a targeted system.  Even though this attack starts from the network, the endpoint is fully aware of the incoming traffic attempts.

The Netlogon Remote Protocol is utilized to maintain domain relationships from the members of a domain:

• To the domain controller (DC),
• Among DCs for a domain, and
• Between DCs across domains.

By carefully monitoring the authentication attempts made within the system, both locally and remotely, and by processing them through Data Guard 365’s behavioral AI engine, they can distinguish between “exploitation” or “benign” authentication attempts.  Whenever suspicious activity is detected, a threat indication allows for in-context alerts to be shown on the management console.

In Summary

• Some endpoint vendors have been claiming this 10/10 severity CVE-2020-1472 is a network security issue.
  Data Guard 365 shows that this is inaccurate – that exploitation of Zerologon can be detected on the endpoint.
• Data Guard 365’s platform and qualified cyber security specialists accurately detect the exploitation attempt on targeted hosts, linking post-exploitation events together with our Storyline
• This critical detection ability is available starting 4.2 SP4 and is available for existing Data Guard 365 customers.

Watch the demo depicting Data Guard 365’s autonomous detection of this critical server vulnerability. Innovation and vector-agnostic technology keep customers steps ahead of the threat landscape:

How can I get Protection from Zerologon?

Similar to other modifications on the agent, Data Guard 365 began deploying this capability to selected customers to ensure stability in various environments. This critical detection is now available to those deploying 4.2 SP4.  Versions 4.3 and 4.4 will include this detection capability with the next service pack update.

Receive a Complimentary Cyber Health Check

Data-Guard 365 is a MSSP firm headquartered in Indianapolis, Indiana, with offices in Chicago, Atlanta, and
other strategic locations across the globe. The company is a one-of-a-kind business partner whose people,
processes, and technology provide invincible cyber security for a price point that pays for itself.

www.Data-Guard365.com / (317) 967-6767 / info@data-guard365.com