fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows Zerologon PoC exploits allow domain takeover. Patch Now!

Windows Zerologon PoC exploits allow domain takeover. Patch Now!

Researchers have released exploits for the Windows Zerologon CVE-2020-1472 vulnerability that allow an attacker to take control of a Windows domain. Install patches now!

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical 10/10 rated security vulnerability known as ‘CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability’.

After successfully exploiting this vulnerability, attackers are able to elevate their privileges to a domain administrator and take over a domain.

Since then, cybersecurity firm Secura, who discovered this vulnerability, has released a detailed writeup of the vulnerability and named Zerologon.

Abusing cryptographic flaws

When a user logs into a Windows device on a domain, it uses the the Netlogon Remote Protocol (MS-NRPC) over RPC to communicate with the domain controller and authenticate the user.

If a user logs in with the correct credentials, the domain controller tells the device to allow authentication with the appropriate permissions. Those with wrong credentials will obviously not be able to log in.

As the authentication attempts are sensitive, Windows sends the authentication requests over an encrypted, secure RPC connection

Secura researcher Tom Tervoort discovered that is is possible to force domain controllers to fall back to unencrypted RPC communication when performing authentication requests.

After falling back to non-secure RPC communication, Tervoort could abuse a flaw in the Netlogon AES-CFB8 cryptographic negotiation algorithm to try and spoof a successful login.

In Tervoort’s tests, it would take an average of 256 attempts to spoof a successful login successfully.

This manipulation would trick the device to log the user into the system as a domain administrator.

Zerologon Attack flow
Zerologon Attack flow
Source: Secura

Also Read: Website Ownership Laws: Your Rights And What It Protects

Once an attacker gains domain administrator privileges on the network, they get full access to the domain controller, can change users’ passwords, and execute any command they wish.

What makes this vulnerability so scary is that an attacker does not even need legitimate credentials on the domain, but can spoof the responses to cause any login attempt to be successful.

“It would not be necessary to wait for some other user to attempt to log in. Instead, the attacker can login themselves, pretending to only support NTLM and providing some invalid password. The service they are logging in to will forward the NTLM handshake to the domain controller and the domain controller would reply with a negative response. This message could then be replaced by a spoofed reply (also containing a recalculated session key) indicating that the password was correct and, by the way, the user trying to log in happened to be a member of the domain admin group (meaning they also have administrative privileges on the target machine),” Tervoort explains in his report on Zerologon.

This vulnerability is especially concerning when it comes to human-operated ransomware attacks as it allows an adversary with a foothold on a single workstation to gain full control of a network over a Windows domain.

“This vulnerability can be particularly dangerous when an attacker has a foothold in an internal network because it allows for both elevation of privileges (to local admin) and lateral movement (gaining RCE on other machines on the network),” Tervoort warned.

Zerologon Proof-of-Concept exploits released

Since the release of Secura’s writeup, numerous researchers have released proof-of-concept exploits that allow a user to gain domain administrator privileges on a vulnerable network.

Rich Warren of NCC Group released a PoC yesterday that allowed him to achieve domain admin in ten seconds.

Researchers have released additional exploits [12] that perform similar attacks on domain controllers.

Also Read: Data Protection Authority GDPR: Everything You Need To Know

Fixing the vulnerability

As fixing the Zerologon vulnerability can cause some devices to not properly authenticate, Microsoft is rolling out the fix in two stages.

The first stage was released on August 11th in the form of a security update that will prevent Windows Active Directory Domain controllers from using unsecured RPC communication.

This update will also log authentication requests from non-Windows devices that do not use secure RPC communication to allow administrators time to fix the devices or replace them with hardware that supports secure RPC.

On February 9th, 2021, as part of the Patch Tuesday updates, Microsoft will release a second update that will enter the enforcement phase that requires all devices on the network to use secure-RPC, unless specifically allowed by an administrator.

Due to this, it is strongly advised that Windows administrators deploy the first stage of the patch on their Active Directory Domain controller to protect their network.

Secura has released a tool that allows you to check if your domain controller is vulnerable to the Zerologon (CVE-2020-1472) vulnerability.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us