In September 2020 details of a critical vulnerability known as ‘ZeroLogon’ were published. This vulnerability affects Windows NetLogon processes and referenced as CVE-2020-1472. The publication coincided with the August 2020 Windows Security Update release, which addressed this vulnerability before it became widely known and distributed among threat actors. Since its announcement, proof-of-concept exploits have been detected, and a module for exploiting CVE-2020-1472 has been added into the Metasploit framework.

Sapphire has been monitoring for this vulnerability since September 2020. An analysis of available threat intelligence has indicated that this vulnerability continues to be exploited in the wild. There has been a significant increase in activity related to ZeroLogon over recent days, with multiple references being identified within threat intelligence to both the vulnerability itself, as well as references to malware capable of exploiting it. This may be due to a Microsoft announcement, confirming that from the 8th of February 2021 enforcement mode will be enabled by default through a security update for this vulnerability; the window of opportunity for attackers is narrowing.

The vulnerability itself lies within the cryptographic mechanisms of the NetLogon process. Any attacker with access to a Domain Controller can leverage available exploits to impersonate any Domain User, including Domain Admin accounts. This allows the elevation of privileges to the highest available within a Windows Domain. We assess that this increases the risk around malicious insiders; specifically, legitimate users who have lower privileged access to Domain Controllers can escalate their privileges.

Since CVE-2020-1472 was announced, Sapphire has created several rules that detect and alert our analysts to any behaviour relating to this vulnerability. This includes rules that correlate vulnerability data with Windows Event IDs on affected products.  Using threat intelligence, we have continued to fine-tune these rules, tailoring our indicators of compromise and identifying when this vulnerability is being exploited. With the vulnerability itself readily identifiable, the ongoing focus has been on identifying and including other indicators; associated malware, associated IP addresses & command and control servers, as well as user behaviour.

We have created threat hunting processes to detect suspicious activity from insider threats. These processes look for anomalous behaviour, with a focus around privilege escalation and unusual user activity.

As is the case with many vulnerabilities being actively exploited, our recommended mitigation is to ensure that all affected server versions are patched with the latest security updates.