Zerologon ! Goes Wild

Threat actors are activly exploiting the Windows Server Zerologon vulnerability in recent attacks. Microsoft strongly recommends all Windows administrators to install the security updates.

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical vulnerability (CVE-2020-1472) in Netlogon. The problem exists due the fact that application does not properly impose security restrictions in Netlogon. A remote non-authenticated attacker can use MS-NRPC to connect to a domain controller to obtain domain administrator access.

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks. Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat,” warned Microsoft.

Microsoft also presented three samples that were used in the attacks to exploit the ZeroLogon vulnerability. The samples are .NET executables with the filename ‘SharpZeroLogon.exe’.

patch immediately before it’s becomes late

Crowdstrike Aquires Preempt Zero Trust provider

Crowdstrike agreed to acquire Preempt Security, a provider of Zero Trust and access control technology, in a deal valued at roughly $96 million.

Preempt founded in 2014 is yet another cybersecurity firm with roots into the Israeli Defense Forces.

CrowdStrike to buy Preempt SecurityPreempt focuses on providing security by preventing malicious transactions. It does this by identity, behavior, risk and context at the point of the transaction rather than just the point of log-in. It allows for control over who can access what resources and in what context without network segmentation or application development.

CrowdStrike plans integrate Preempt’s technology into the CrowdStrike Falcon platform to help customers achieve end-to-end visibility and enforcement on identity data.

“Hybrid work environments will become the norm for many organizations which means that Zero Trust security with an identity-centric approach and detecting threats in real-time are critical for business continuity.

With the addition of Preempt Security’s capabilities, the CrowdStrike Falcon platform will provide enhanced protection against identity-based attacks and insider threats.

Under the terms of the agreement, CrowdStrike plans to pay roughly $86 million in cash and $10 million in stock and options subject to vesting conditions.

The acquisition is expected to close in CrowdStrike’s fiscal third quarter 2021.

Microsoft unifies Defender umbrella… Ignite 2020

Defender is getting ignited .. more products are getting in to one umbrella. Initially change of windows defender to Microsoft defender in early 2020, this comes as a products unification .

Products are mainly categorised in to two. Microsoft 365 defender for endpoints and Azure defender for cloud Infrastructures

Microsoft 365 Defender line will include:

Microsoft 365 Defender
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Identity

Azure Defender line will include:

Azure Defender for Servers
Azure Defender for IoT
Azure Defender for SQL

It’s hard to follow product portfolio’s since the inception of products . It’s difficult to keep track of products.Going forward, there will be Microsoft Defender and Azure Sentinel.

Microsoft Defender will be Microsoft’s XDR product, while Azure Sentinel will be the company’s SIEM line.

XDR stands for eXtended Detection and Response and is a cyber-security term that refers to products that detect and respond to active threats on endpoints .

SIEM stands for Security Information and Event Management and is a cyber-security term that refers to web applications that aggregate logs from all devices in order to analyze large quantities of data from a vantage point and search for anomalies and signs of a security breach.

Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise.

Microsoft believes that defenders can benefit from using deeply integrated SIEM and XDR for end-to-end visibility and prioritized actionable insights across all your enterprise assets.

Windows 10 Sandbox has a Vulnerability inside

A researcher discovered a new zero-day vulnerability in most Windows 10 editions, which allows creating files in restricted areas of the operating system.

Exploiting the flaw is trivial and attackers can use it to further their attack after initial infection of the target host, albeit it works only on machines with Hyper-V feature enabled.

An unprivileged user can create an arbitrary file in ‘system32,’ a restricted folder holding vital files for Windows operating system and installed software.

However, this works only if Hyper-V is already active, something that limits the range of targets since the option is disabled by default and is present in Windows 10 Pro, Enterprise, and Education.

Hyper-V is Microsoft’s solution to creating virtual machines (VM) on Windows 10. Depending on the physical resources available on the host, it can run at least three virtual instances.

Given sufficient hardware resources, Hyper-V can run large VMs with 32 processors and 512GB of RAM. An average user user may not have a use for such a virtual machine but they may run Windows Sandbox, an isolated environment for executing programs or loading websites that are not trusted, without risking to infect the normal Windows operating system.

Microsoft introduced Windows Sandbox with the May 2019 Update, in Windows 10 version 1903. Turning on this feature automatically enables Hyper-V.

To demonstrate the vulnerability researchers created in \system32 an empty file named phoneinfo.dll. Making any changes in this location requires elevated privileges but these restrictions are irrelevant when Hyper-V is active.

The creator of the file is also the owner, an attacker can use this to place malicious code inside that would be execute with elevated privileges when needed.

CERT/CC vulnerability analyst Will Dormann confirmed that the vulnerability exists and that exploiting it requires literally no effort from an attacker on the host.

Although this vulnerability is easy to exploit there are more dangerous issues in Windows 10 that Microsoft should address. This is one reason he decided to make it public and not report it through Microsoft’s bug bounty program.