• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – MoDi RAT Spreading Via Email
September 25, 2020
Rewterz Threat Alert – GADOLINIUM Using Cloud Services and Open Source Tools
September 25, 2020

Rewterz Threat Alert – CVE-2020-1472 – Attackers Exploiting ‘ZeroLogon’ Windows Flaw – IoCs and PoC

September 25, 2020

Severity

High

Analysis Summary

Microsoft reported that attackers are exploiting a particularly dangerous flaw in Windows Server systems that could be used to give attackers the access to a vulnerable corporate network. 

msi-tweet.png

This vulnerability directly affects domain controllers (DC) in active directories (AD). Due to a bug in the incorrect implementation of AES-CFB8 in the Netlogon protocol, an attacker could set a new password without further requirements, all in order to take complete control of the DC and gain the administrator user credentials. The failure is located in the initial authentication handshake, since authentication is generally bypassed, therefore, an attacker only has to establish a TCP connection with a vulnerable domain controller, simply by being within the local network it would be enough to exploit this flaw, since it does not require any type of domain credential.

Attack Patterns

  • Privilege Abuse
  • Privilege Escalation
  • Restful Privilege Elevation

Associated PoCs


ZeroLogon Severe Vulnerability (CVE-2020-1472) already has PoC (Proof of Concept) and public exploit working and is very dangerous. The bug was fixed in Microsoft’s security updates for August 2020. However, this week at least four public PoC exploits were released for the bug on Github. Even the popular mimikatz tool has added support to exploit the vulnerability more quickly via RPC.

Eh5Lj7EXsAITQZA.jpg


It is an exploitable vulnerability only with having visibility in the DC network, with low technical complexity, without requiring privileges and without requiring the interaction of a legitimate user. The vulnerability is discovered in all versions of Windows:

microsoft-window-attack.png


Due to this bug in the AES implementation, you can get full control of the DC, and set an empty password on the domain. Due to the lack of authentication when exploiting this security flaw, this vulnerability has been called “Zerologon”.
PoC ZeroLogon CVE-2020-1472 Public Exploits

Eh91WrVXcAMQsKl.png
Eh94LOEXYAE8SJR.png

Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472

  • https://3g2upl4pq6kufc4m.onion/?q=%22https%22+secure+etosoftware+%22newlogin%22+site:social.technet.microsoft.com
  • https://github.com/batmanli61/Zerologon
  • https://github.com/k8gege/CVE-2020-1472-EXP
  • https://github.com/VoidSec/CVE-2020-1472
  • https://github.com/risksense/zerologon
  • https://github.com/sv3nbeast/CVE-2020-1472
  • https://github.com/zeronetworks/zerologon
  • https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon
  • https://github.com/dirkjanm/CVE-2020-1472
  • https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2020-1472
  • https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py
  • https://github.com/bb00/zer0dump
  • https://github.com/risksense/zerologon/
EiCcbiCWkAAqmNE.png

Impact

  • Privilege Escalation
  • Privilege Abuse
  • Unauthorized Access

Affected Vendors

Microsoft

Affected Products

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server version 1903 (Server Core installation)
  • Windows Server version 1909 (Server Core installation)
  • Windows Server version 2004 (Server Core installation)

Indicators of Compromise

MD5

  • 19ff12325546bdb01adfcf96e7e747c3
  • 145459f51dba94635b676305e1879d81
  • 96b2532ece1f721a1c4ebf714d33f5da
  • 1d075193b9c51dbeb9ca38bebe03fe52

SHA-256

  • 50af4367eadd55236d085d8221815ea06992d6c0e1ab3ed6848dc3bdaca6f7dd
  • 6c07d9e28c2f83966b4b52e0fe011318cd939318f6dc9900cbf827f0bac04683
  • 6dd6f3f6de51816e17fe826d6848dc04ce8327df00f5b667a83e3a4ac7a8cb5d
  • c33a65409db7ea9ced3d7e9d9df80a4e2cef77b787ac47ff949764da970ec602

SHA1

  • 6bdac6ffbbd4a1192248085c78638b35f572d14b
  • 246abf8b8788cd1e7806b9d129f3d48d3fd849d6
  • e23ff79c1599e273e3af67b842997e3d11603dfb
  • 14353c6f8f39a312951b73e55470715fe71b5360

Remediation

  • Block the threat indicators at their respective controls.
  • Immediately apply patches for this vulnerability.
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
  • Block additional IoCs from previous advisory as well.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.