In August 2020, Microsoft disclosed it had discovered a vulnerability with its Netlogon remote code execution. The latest round of mitigation measures, CVE-2020-1472, evaluates the MS-NRPC (Microsoft Windows Netlogon Remote Protocol) privilege flaw. Microsoft now understands this vulnerability to have been weaponized by Advanced Persistent Threat (APT) groups.
APT groups are generally classified as those that head up cyber attacks on national information assets of economic, security, or strategic significance. Their favored modus operandi is to use cybersabotage or cyber espionage to achieve their aims. APTs have become effective in what they do and are apt at remaining elusive to the authorities. They have the ability and potential for wreaking havoc on a national level.
It is not only foreign or enemy nations that APTs target, although this is the prime purpose for some. They also have large corporations, many of which use Microsoft products, fixed in their sights. Their weaponizing of the MS-NRPC privilege flaw vulnerability is further evidence of these tactics.
MS-NRPC is one of the Active Directory’s authentication components. The privilege flaw vulnerability exists when an attack is launched using MS-NRPC on the connection between a secure channel and a domain controller. In such situations, there is no requirement for an attacker to be authenticated before gaining access to administer privileges. Once they’ve achieved such unauthenticated access, an attacker can arbitrarily run code on Windows domain controllers affected by the flaw.
Microsoft first issued mitigation for Zerologon in August 2020, following a rapid escalation in their concerns about Zerologon. That patch update was the third-largest to have been launched by Microsoft. The two previous months marked the largest (129 patches in June 2020) and second-largest (123 patches in July 2020). The sheer amount of patches released recently by Microsoft is placing additional pressure on the teams responsible for managing these patches, according to Dustin Childs from Trend Micro’s ZDI (Zero-Day Initiative).
Regardless of the August patch release, in mid-September, exploit code available for public access was discovered. Following the discovery, the Department of Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) issued directions obligating federal agencies to initiate mitigative action by midnight on September 21. A CISA official made a statement regarding the vulnerability, recognizing the unacceptable risk it poses to the Federal Civilian Executive Branch.
APT groups were quick to add Zerologon to their arsenal of cyber weaponry. One of the first to use this weapon was Mercury, an Iranian APT group, who used the vulnerability during several attacks.
Microsoft was able to detect these attacks, and they have now released phase 2 of their mitigation. From the security update issued on February 9, 2021, Windows Domain Controllers will be put into enforcement mode. This measure will require all devices (whether Windows-based or not) to use RPC (Remote Procedure Call) in conjunction with Netlogon secure channel.
This mitigation measure will block any vulnerable connections from devices that are not complying with this protocol unless such devices have been given a manual exception to allow such connections.