Commencing Feb. 9, Microsoft will now enable Domain Controller “enforcement mode” by default to address CVE-2020-1472.
Microsoft is acting when it comes to companies that have not yet updated their systems to address the critical Zerologon flaw. They will soon by default block vulnerable connections on devices that could be used to exploit the flaw.
Microsoft Active Directory domain controllers are at the heart of the Zerologon vulnerability. Domain controllers respond to authentication requests & verify users on computer networks.
A successful exploit of the flaw allows unauthenticated attackers with network access to domain controllers to completely compromise all Active Directory identity services.
Domain Controller enforcement mode “will block vulnerable connections from non-compliant devices,” said Aanchal Gupta, VP of Engineering with Microsoft in a Thurs. post.
“DC enforcement mode requires that all Windows & non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.”
Secure RPC is an authentication method that authenticates both the host & the user who is making a request for a service.
This new implementation is an attempt to block cyber-criminals from gaining network access to domain controllers, which they can utilise to exploit the Zerologon privilege-escalation glitch (CVE-2020-1472).
The flaw, with a critical-severity CVSS score of 10 out of 10, was first addressed in Microsoft’s August 2020 security updates. Starting in Sept., at least 4 public Proof-of-Concept (PoC) exploits for the flaw were released on Github, along with technical details of the vulnerability.
The enforcement mode “is a welcome move because it is such a potentially damaging vulnerability that could be used to hijack full Domain Admin privileges – the ‘Crown Jewels’ of any network providing an attacker with ‘God-mode’ for the Windows server network,” Mark Kedgley, CTO at New Net Technologies (NNT), explained.
“By defaulting this setting, it is clear that it is seen as too dangerous to leave open. The message to everyone is to patch often & regularly & ensure your secure configuration build standard is up to date with the latest US Center for Internet Security or Security Technical Implementation Guide recommendations.”
Zerologon has grown more serious over the past few months as several threat actors & advanced persistent threat (APT) groups closed in on the flaw, including cyber-criminals like the China-backed APT Cicada & the MERCURY APT group.
“Reported attacks began occurring within just 2 weeks of the vulnerability being disclosed,” Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, outlined. “APT10 (aka Cicada, Stone Panda, & Cloud Hoppe) was also seen using Zerologon to target Japanese companies in Nov. 2020.”
The US Govt. has also encouraged organisations to update after the publication of the exploits, with the DHS issuing a rare emergency directive that ordered US federal agencies to patch their Windows Servers against the flaw by Sept. 21.
Gupta commented that organisations can take 4 steps to avoid the serious flaw: Updating their domain controllers to an update released Aug. 11, 2020, or later; find which devices are making vulnerable connections (via monitoring log events); addressing those non-compliant devices making the vulnerable connections; & enabling domain controller enforcement.
“Considering the severity of the vulnerability, it is advised that all Domain Controllers be updated with the latest security patch as soon as possible,” Righi concluded.