Microsoft Releases Patch for Severe Zerologon Vulnerability
By Greg Hodges, Vigilant VP, Sales Operations
A Vigilant Threat Alerts Series
Unbeknownst to many, Microsoft released a patch in August for one of the most severe bugs ever reported to the company. The bug, located in MS-NRPC (a core component of Active Directory), is called Zerologon. It would allow an attacker with a foothold on your internal network to essentially become a Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint. Read more about how it works below.
As a valued Vigilant customer, we want to notify you of this security risk and we strongly urge you to read Microsoft's guidance on CVE-2020-1472 and install the patch.
If you're a CyberDNA® customer, our hunt team has created and deployed detection for this vulnerability. We will continue to monitor this threat and enhance our detection as needed. You can rest assured that we've got your back. If you're a MEP customer only, see below for how you can increase your security by installing CyberDNA®.
As always, thank you for being a Vigilant customer and trusting us to protect your business. If you have any questions, please don't hesitate to ask by emailing CRS@vigilantnow.com.
How Zerologon Works
Threat actors can exploit Netlogon, a Windows Server process that authenticates users and other services within a domain. Unless it is halted manually or by a runtime error, Netlogon continuously runs in the background, because it is an application, and not a service. Netlogon can be stopped or restarted from the command-line terminal. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.
Why is this important?
If you have a threat actor inside your environment, they could take over your entire corporate network in about three seconds. This “elevation of privilege” vulnerability is so severe that the U.S. government is requiring all federal agencies to patch it by Monday. NIST rated Zerologon with a CVSS score of 10.0 in the National Vulnerability Database (NVD).
Interested in CyberDNA®?
Did you know Vigilant is currently offering a free trial of CyberDNA®? Through a comprehensive, five-day security threat audit that deploys CyberDNA® in your network, you can experience the confident security of being a Vigilant customer. CyberDNA® defends against the threats that penetrate your endpoint defenses, identifying and containing threats within minutes to hours*. But, hurry! It's a 30-day limited-time offer.
*The 2020 industry average for a breach lifecycle for companies deploying competitive solutions is 315 days, or roughly ten months.