Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ZeroLogon vulnerability (CVE-2020-1472)

AjishlalAjishlal All-Knowing Sage ✭✭✭✭

ZeroLogon vulnerability (CVE-2020-1472) allows Privilege Escalation attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

The flaw was addressed in Microsoft’s August 2020 security updates. However, the risk went higher when four PoCs were released and published publicly.

Recently, Microsoft warned about multiple malicious activities by MuddyWater using Zerologon vulnerabilitiy in active campaigns over the last 2 weeks.

MuddyWater an Iranian threat group that has primarily targeted Middle Eastern nations including United Arab Emirates.

Recommendations

It is highly recommended to ensure all your servers are patched and up to date, for further details about ZeroLogon mitigation steps, please find the official notes release by Microsoft

1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

2. https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#Updates%20section

Initiate threat hunting activity for Event ID : 5805 (SYSTEM) or 4624 followed by 4742 as both will be triggered when the exploit is executed.

Category: Water Cooler
Reply

Comments

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    MuddyWater attacks are characterized by the use of a PowerShell-based first stage backdoors such as the newly discovered tool called PowGoop.

    Additionally, Credential-stealing activities were observed as well as setting up tunnels to its own infrastructure to assist with lateral movement using an open-source tools.

    • Recommendations

    o Ensure all systems are patched and updated.

    o Avoid clicking or opening un-trusted or unknown links, files or attachments.

    o Don’t allow Macros for unknown MSOffice files.

    o Enable software restriction policies and application whitelisting.

    o Ensure that email server is configured to block any suspicious attached file extensions.

    o Enforce the Restricted PowerShell script execution policy for end users.

    o Monitor your network for abnormal behaviors and shared IoCs.

    o Block incoming and outgoing traffic from the malicious IPs list.

    o Ensure logging are in place for ani DFIR activities if required.

    • Indicator of Compromises


Sign In or Register to comment.