Rewterz Threat Alert – Ransomware Egregor Infecting Organizations around the World
October 6, 2020Rewterz Threat Advisory – CVE-2019-4725 – IBM Security Access Manager Appliance cross-site scripting
October 7, 2020Rewterz Threat Alert – Ransomware Egregor Infecting Organizations around the World
October 6, 2020Rewterz Threat Advisory – CVE-2019-4725 – IBM Security Access Manager Appliance cross-site scripting
October 7, 2020Severity
High
Analysis Summary
Microsoft published CVE-2020-1472 announcing that a new vulnerability exists that allows elevation of privileges to the domain controller. An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), also known as Netlogon Elevation of Privilege Vulnerability.
The ZeroLogon vulnerability has been exploited in the wild ever since its discovery. The flaw directly affects domain controllers (DC) in active directories (AD). Due to a bug in the incorrect implementation of AES-CFB8 in the Netlogon protocol, an attacker could set a new password without further requirements, all in order to take complete control of the DC and gain the administrator user credentials. The failure is located in the initial authentication handshake, since authentication is generally bypassed, therefore, an attacker only has to establish a TCP connection with a vulnerable domain controller, simply by being within the local network it would be enough to exploit this flaw, since it does not require any type of domain credential.
Iranian-backed MuddyWater cyber-espionage group was observed using ZeroLogon exploits in multiple attacks during the last two weeks. The ongoing attacks exploiting the critical 10/10 rated CVE-2020-1472 security flaw were spotted by Microsoft’s Threat Intelligence Center. MERCURY (also tracked as MuddyWater, SeedWorm, and TEMP.Zagros) is an Iranian-backed hacking group first spotted in 2017.
Impact
- Privilege Escalation
- Privilege Abuse
- Unauthorized Access
Affected Vendors
Microsoft
Affected Products
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server version 1903 (Server Core installation)
- Windows Server version 1909 (Server Core installation)
- Windows Server version 2004 (Server Core installation)
Remediation
To protect your environment and prevent outages, you must do the following:
- UPDATE your Domain Controllers with an update released August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
Note Step 1 of installing updates released August 11, 2020 or later will address security issue in CVE-2020-1472 for Active Directory domains and trusts, as well as Windows devices. To fully mitigate the security issue for third-party devices, you will need to complete all the steps.
Warning Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable enforcement mode.