In September 2020 details of a critical vulnerability known as ‘ZeroLogon’ were published. This vulnerability affects Windows NetLogon processes and referenced as CVE-2020-1472. The publication coincided with the August 2020 Windows Security Update release, which addressed this vulnerability before it became widely known and distributed among threat actors. Since its announcement, proof-of-concept exploits have been detected, and a module for exploiting CVE-2020-1472 has been added into the Metasploit framework.

Sapphire has been monitoring for this vulnerability since September 2020. An analysis of available threat intelligence has indicated that this vulnerability continues to be exploited in the wild. There has been a significant increase in activity related to ZeroLogon over recent days, with multiple references being identified within threat intelligence to both the vulnerability itself, as well as references to malware capable of exploiting it. This may be due to a Microsoft announcement, confirming that from the 8th of February 2021 enforcement mode will be enabled by default through a security update for this vulnerability; the window of opportunity for attackers is narrowing.

The vulnerability itself lies within the cryptographic mechanisms of the NetLogon process. Any attacker with access to a Domain Controller can leverage available exploits to impersonate any Domain User, including Domain Admin accounts. This allows the elevation of privileges to the highest available within a Windows Domain. We assess that this increases the risk around malicious insiders; specifically, legitimate users who have lower privileged access to Domain Controllers can escalate their privileges.

Since CVE-2020-1472 was announced, Sapphire has created several rules that detect and alert our analysts to any behaviour relating to this vulnerability. This includes rules that correlate vulnerability data with Windows Event IDs on affected products.  Using threat intelligence, we have continued to fine-tune these rules, tailoring our indicators of compromise and identifying when this vulnerability is being exploited. With the vulnerability itself readily identifiable, the ongoing focus has been on identifying and including other indicators; associated malware, associated IP addresses & command and control servers, as well as user behaviour.

We have created threat hunting processes to detect suspicious activity from insider threats. These processes look for anomalous behaviour, with a focus around privilege escalation and unusual user activity.

As is the case with many vulnerabilities being actively exploited, our recommended mitigation is to ensure that all affected server versions are patched with the latest security updates.

SHARE

On the 12th of January 2021, Microsoft released the first cumulative patch of the new year, with eighty-three security vulnerabilities rectified across a range of Microsoft products. The most significant of these fixes related to a zero-day vulnerability within Microsoft Defender, the integrated anti-virus of Windows operating systems.

This vulnerability is being tracked and identified as CVE-2021-1647 and described as a Remote Code Execution (RCE) vulnerability allowing threat actors to infect target systems with executable code.

SHARE

Continue reading

The IDC has reported that 70% of successful breaches begin at the endpoint, which must be a concern to many businesses and organisations in the changing world of 2020. A McAfee Threat Report published in July this year reported that overall there had been a decrease of new malware by 35% in H1 2020, indicating that known malware is still proving to be successful and lucrative for criminals to utilise.  

SHARE

Continue reading

Overview

Pysa Ransomware, also known as Mespinoza Ransomware, is an extremely dangerous file-encrypting virus which is known for encrypting users’ crucial files and data stored on their systems. Victims are demanded to pay a ransom fee in order to get a decryption key, which is supposed to unlock all affected files. Pysa ransomware has so far impacted a variety of industries, but the main sector targeted amid a pandemic, with almost 25% of the total Pysa victims, is the Healthcare industry. However, the Financial, IT, Non-Profit, Public Sector and food services industries have also been seen as popular targets.

SHARE

Continue reading

What is it?
‘Browser hardening’ refers to ways in which we can tweak our web browser’s settings, with the goal of enhancing its security and privacy.

What does it involve?
A great starting point is exploring your browser’s settings page and making some adjustments. You can add to this by installing and configuring plug-ins. More advanced options exist ‘under the hood’ of most browsers, for example Firefox’s about:config page. Let’s explore why you might choose to do this and explain some changes that can be made.

SHARE

Continue reading

  • 1
  • 2
  • 7