Last month, Microsoft announced that it had patched one of the most dangerous bugs ever discovered. On the ten point bug severity scale, this bug attained a 10. However, unless you work in cybersecurity, you probably never heard of Zerologon. There are a few reasons for this. First of all, most people don’t worry about an attack unless it strikes close to home. A hack of Instagram may get their attention, but an attack on the Netlogon protocol leaves most people cold. Even if it sounds threatening, most people don’t understand the technical aspects of such a bug and really don’t have the time to look into it to any depth. Thus, the lack of personal relevance coupled with technical obscuration allowed this bug to pass by almost totally unnoticed. However, since I believe this is an important cybersecurity event, I will, in this post, attempt to explain why this bug was, and is, so dangerous and how it could impact the lives of most people.
First of all, it is necessary to explain a few technical terms which I will intentionally oversimplify. (Those who want more technical details can go here.) If you want to use a network, for example, a company network, you first have to log onto it. You will enter your name and password and the server will check its database to see if you are allowed on its network. Actually, it is the Windows’ Netlogon service that does this check. Running behind this service is the Server Message Block protocol or SMB. If, after you log onto a network, you want to use a printer on the network, SMB will check to see if you have permission to do this. It will also determine what files you can access. In other words, if a criminal could find a way to manipulate these processes, they could enter a network and access what they wanted to. They could do some very serious damage.
What serious damage could they do? Well, in the worst case scenario, an attacker could take over the entire corporate or government network. They could gather all the company information that they wanted. They could steal corporate secrets. They could steal all the personal information of the employees and, when they were done harvesting what they wanted, they could top it off with a ransomware attack by encrypting important data on the network. They would have access to all of the company’s clients and subcontractors. They would have access to every employee. If the corporation or agency did not have a full backup, the only escape from such an attack would be to rebuild an entire new network, so I would assume most would agree that this would be a scenario to take seriously.
The bug that would allow for this type of attack was found in the way that a Microsoft server handles a login from a networked computer. To authenticate the login, the server engages in a ‘dialogue’ with the computer in the form of the encryption of the computer’s password, which both the computer and the server know. On the surface, this seems like a valid way to insure the user signing on is who they say they are.
At first, the Secura researcher, Tom Tervoort, who investigated the security of Netlogon, thought that it might be possible to manipulate the protocol through a man-in-the-middle attack, and, this, indeed, was possible. However, with further investigation, he found that the Netlogon authentification protocol could be ‘fooled’ by logging in with zeroes as the password. Hence the name for this bug: Zerologon. Apparently, it is the encryption of this zero-filled login that allows an attacker onto the network.
Tervoort gives five possible exploits that can be used with this vulnerability. One of the most useful allows the attacker to change the networked computer’s password. However, the best exploit actually retrieves and changes the password of the server or domain controller. Doing this allows the attacker to actually become the domain controller. In other words, they control the entire network.
There is a caveat to this. The attacker either has to be on a networked device, which would amount to an insider attack, or be physically on the premises where the network is being used… at least for now. Nonetheless, it is still a dangerous flaw.
The good news is that Microsoft released a patch in August. The bad news is that it is part of a phased rollout, meaning that there will be problems with some networked devices until 2021. Still, it will stop the main attack vector and should be installed on every network. Some administrators are having problems with some non compliant networked devices and may be delaying the installation of the patch until those devices are up to date. However, not installing the patch is so dangerous that temporary problems must simply be accepted.
The potential danger inherent in this vector is so severe that the Department of Homeland Security (DHS) has issued an emergency directive to all federal agencies using Window’s servers. All such agencies should have patched their servers by September, 21st. The directive further states that, “if affected domain controllers cannot be updated, ensure they are removed from the network…The availability of the exploit code in the wild (is) increasing (the) likelihood of any upatched domain controller being exploited,” The report also concludes that there is a “high potential for a compromise of agency information systems”. So, yes, this is being treated as a dangerous situation.
In fact, so serious is the situation that all federal agencies had to prove that they updated their systems by filing a report with the DHS by Wednesday, September 23rd. Here is a portion of that report.
This all leads me to believe that the DHS knows more than they are telling us about.
It is very possible that sophisticated attackers used the vulnerability as soon as they learned about it and may have gotten onto government and corporate networks before the patch was installed. They, then, may have hidden their tracks, making their presence difficult, if not impossible, to detect. When they got whatever it is they came for, they could have left and no one would be the wiser. In the worst case scenario, they could insert malware that could continue remote monitoring of the network.
And now, just hours ago, as of this writing, news has come in from Microsoft that Zerologon is being used in attacks. “Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.”
And this is just the beginning.