Zero Logon actively expolited by Iran Mercury APT

Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.

The advanced persistent threat (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically targeted government victims in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services.

“MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,”.

Microsoft released a patch for the Zerologon vulnerability (CVE-2020-1472) as part of its Augus Patch Tuesday security updates. The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). As previous reported, the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.

Then, earlier in September, the stakes got higher for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on Github.

Microsoft’s alert also comes a week after Cisco Talos researchers warned of a spike in exploitation attempts against Zerologon.

“One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution,” said Microsoft in an earlier analysis. “Following the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the Zerologon exploit.”

Microsoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an “enforcement phase.”

Bugs in GPO of Server 2016

Microsoft has identified a bug in Windows 10 version 1607 and Windows Server 2016 is causing errors to appear in the Group Policy Editor.

Microsoft health report stated Windows 10 1607 and Windows Server 2016 users were experiencing errors when opening the Security Options MMC in Group Policy Editor.

Group Policy Editor error

This issue is due to applying September cumulative update KB4577015 and that they are working on a fix.

Accessing the Security Options data view in Group Policy Management Editor (gpedit.msc) or Local Security Policy Editor (secpol.msc) may fail with error MMC a detected an error in a snap-in. It is recommended that you stop and restart MMC “or” MMC cannot initialize snap-in .

This happens from the MMC window, when the console tree is expanded in the following order: select Computer Configuration, then Policies, then Windows Settings, then Security Settings, then Local Policies, then Security Options Microsoft explained.

As a work around uses can install RSAT tool in Windows 10 v1709 and above to bypass the issue for now. Possibly this will get patched in next patch window.

Zerologon ! Goes Wild

Threat actors are activly exploiting the Windows Server Zerologon vulnerability in recent attacks. Microsoft strongly recommends all Windows administrators to install the security updates.

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical vulnerability (CVE-2020-1472) in Netlogon. The problem exists due the fact that application does not properly impose security restrictions in Netlogon. A remote non-authenticated attacker can use MS-NRPC to connect to a domain controller to obtain domain administrator access.

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks. Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat,” warned Microsoft.

Microsoft also presented three samples that were used in the attacks to exploit the ZeroLogon vulnerability. The samples are .NET executables with the filename ‘SharpZeroLogon.exe’.

patch immediately before it’s becomes late

Active Directory ! Heart of business. Proper DR plan

Active directory as the name suggest, if business need to be active then active directory should be actively protected with proper care.

Business vitality depends on AD. each and every details from login info, Email info , relied strongly on AD. As so it’s vital we should maintain a proper hygiene way to secure it from external attacks, since we have a long history of foreign intrudes contaminating, encrpting and erasing info

As the gatekeeper to critical applications and data in 90% of organization’s worldwide, AD has become a prime target for widespread cyberattacks that have crippled businesses and wreaked havoc on governments and non-profit organization

If in case of a disaster happen there should be an escape route to restore it. Key considerations are elobarated

  • Minimize Active Directory’s attack surface: Lock down administrative access to the Active Directory service by implementing administrative tiering and secure administrative workstations, apply recommended policies and settings, and scan regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack.
  • Monitor Active Directory for signs of compromise and roll back unauthorized changes: Enable both basic and advanced auditing and periodically review key events via a centralized console. Monitor object and attribute changes at the directory level and changes shared across domain controllers.
  • Implement a scorched-earth recovery strategy in the event of a large-scale compromise: Widespread encryption of your network, including Active Directory, requires a solid, highly automated recovery strategy that includes offline backups for all your infrastructure components as well as the ability to restoring from backup s without reintroducing any malware that might be on them.