Microsoft published CVE-2020-1472 announcing that a new vulnerability exists that allows elevation of privileges to the domain controller. An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), also known as Netlogon Elevation of Privilege Vulnerability.
The ZeroLogon vulnerability has been exploited in the wild ever since its discovery. The flaw directly affects domain controllers (DC) in active directories (AD). Due to a bug in the incorrect implementation of AES-CFB8 in the Netlogon protocol, an attacker could set a new password without further requirements, all in order to take complete control of the DC and gain the administrator user credentials. The failure is located in the initial authentication handshake, since authentication is generally bypassed, therefore, an attacker only has to establish a TCP connection with a vulnerable domain controller, simply by being within the local network it would be enough to exploit this flaw, since it does not require any type of domain credential.
Iranian-backed MuddyWater cyber-espionage group was observed using ZeroLogon exploits in multiple attacks during the last two weeks. The ongoing attacks exploiting the critical 10/10 rated CVE-2020-1472 security flaw were spotted by Microsoft’s Threat Intelligence Center. MERCURY (also tracked as MuddyWater, SeedWorm, and TEMP.Zagros) is an Iranian-backed hacking group first spotted in 2017.
To protect your environment and prevent outages, you must do the following:
Note Step 1 of installing updates released August 11, 2020 or later will address security issue in CVE-2020-1472 for Active Directory domains and trusts, as well as Windows devices. To fully mitigate the security issue for third-party devices, you will need to complete all the steps.
Warning Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable enforcement mode.