A critical vulnerability has been discovered in Windows Server, allowing unauthenticated attackers to compromise all Active Directory identity services. The severity of this exploit has been rated at a 10/10 by security experts. The U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) believe that “active exploitation of this vulnerability is occurring in the wild”.

In response, the CISA issued an emergency directive requiring all Executive Branch departments and agencies to patch their Windows Servers with the domain controller role. In a public statement, CISA also recommended that all government and private organizations update their Windows Server instances to prevent themselves from being breached.

What you need to know

The attack, known as ZeroLogon, takes advantage of flaws in a cryptographic authentication protocol that proves the authenticity and identity of a domain-joined computer to the domain controller. The vulnerability allows an attacker to spoof the identity of any computer account making it possible to obtain administrator privileges and move laterally throughout a network.

The vulnerability has been given the Common Vulnerabilities and Exposures ID CVE-2020-1472. More information is available from the National Institute of Standards and Technology (NIST) and in this whitepaper by the organization (Secura) that discovered it.

What is the impact

ZeroLogon allows an attacker on the local network to completely compromise the Windows domain. Attackers can combine this exploit with others to gain access from outside the network or utilize a malicious insider or a compromised device that has been plugged into the on-premise network.

Once connected to an unpatched domain controller, without any authentication, the attacker can elevate their privileges and instantly become an administrator. With these privileges, the attacker can move laterally and compromise other systems. Because this vulnerability does not appear to require any tools it makes stealing and ransoming all data on a server extremely quick.

What you should do

Wandera highly recommends that organizations immediately follow Microsoft’s guidelines to safely manage the changes required to mitigate this vulnerability.

How to prevent exploits like this in the future:

Exploits such as ZeroLogon require connections to corporate systems, in this case, the domain controller, from there the attack can spread. Zero Trust Network Access tools can help eliminate and mitigate threats such as this.

Firstly, connectivity to any corporate resource is prevented until after the user is authenticated and the device is verified as secure. Untrusted users and devices are not able to connect to the domain controller to launch the attack.

Secondly, least-privilege access and microsegementation prevent trusted users and devices from having broad network visibility, limiting them to only the systems that they have been expressly granted permission to access.

Thirdly, if the ZeroLogon exploit was successfully executed, Zero Trust Network Access tools would limit any lateral movement to just those defined by the least-privileged access policies, dramatically reducing the blast radius and potential damage of the attack.

To learn more about the ZeroLogon exploit and how to prevent it damaging your organization, please get in touch with one of our security experts.