Zerologon is one of the major threats that make a user’s computer or laptop more vulnerable. To stop such a security breach, Microsoft updated the Microsoft Windows Defender. The updated in-built antivirus in the Windows-OS system is sufficiently capable of detecting Zerologon exploits. Microsoft Defender for Identity, along with other Microsoft 365 Defender solutions, can check and monitor adversaries that try to exploit this vulnerability against user’s domain controllers.
What is Zerologon?
It is the name of the vulnerability identified in the CVE-2020-1472 patch. The reason behind giving the name “Zerologon” is the flaw present in the logon process where the initialization vector (IV) is set to all zeros every time. This initialization vector setting is problematic because the vector sets to a random number all the time. According to the Common Vulnerability Scoring System (CVSS), Zerologon scores 10 out of 10 on severity parameters. There are active Proof-of-Concept (PoC) exploits available that display the risk profile of Zerologon. Zerologon obtained cryptographic flaws in the Microsoft Windows – Active Directory Netlogon Remote Protocol (MS-NRPC). MS-NRPC allows the users to log on to servers that are using NTLM (NT LAN Manager). There is a problem with security algorithms. It is essential to keep the credentials a secret but not depend on the secrecy algorithm to protect our data. The security algorithms that Microsoft is using for its various platforms are:
AES-CFB8, used by MS-NRPC, keeps MS-NRPC’s initialization vector value of 16 bytes as sixteen zeros. Hence, it will make it a pretty predictable and comfortable mode of a breach.
Working of Zerologon
In September 2020, Tom Tervoort, a Dutch researcher working for Secura, showed the presence of Zerologon. He found that Microsoft has implemented a unique cryptography variation during his research, which was different from other RPC protocols. The Zerologon vulnerability lets a hacker make an entry into an organization’s network and take control of a domain controller (DC), including the root DC. Any hacker can do it by changing or removing DC’s password and triggering a Denial-Of-Service or taking the entire network. A hacker has to make at most 256 attempts to get into the system due to the IV’s poor implementation within MS-NRPC. A hacker gets only three chances to breach an individual’s account in a usual case, but that is not the case with the computer or machine. Hence, a hacker needs to be correct once by hitting one of the 256 keys that produce an all zero ciphertext.
With the new updates in the Microsoft Defender, one can get the following benefits:
- Identification of the device that attempted the impersonation.
- Analyzing the domain controller
- Search the targeted asset(s)
- Check the risk profile of the attack to see whether the impersonation attempts were successful.
Accordingly, alerts will generate to enable admins to check all the four attributes discussed above. Cybersecurity and Infrastructure Security Agency(CISA) issued a series of directives on recognizing the threat of Zerologon and its outreach. CISA ordered civilian federal agencies to patch or disable all affected Windows servers at the earliest. Also, when the Zerologon attack first came into notice, Microsoft released a set of guidelines in a two-phase patch. Microsoft has already released the first phase of the patch. The second phase is yet to launch and will be available by the first quarter of 2021. The first phase involves installing the Microsoft Security Update that the company launched during August 2020.
With Zerologon, all IT-security providers got a lesson regarding encryption algorithms. It is the need of the hour to come forward and deliver and develop more secure approaches. The vulnerability of Zerologon will let these organizations build a team of DevSecOps that can provide automation in security. Hence, it will create a more robust and resilient infrastructure that is not prone to attacks. Also, if there is a security breach, the network should generate alerts and automatically disconnect the entire system so that the hacker’s attack has zero risks.