Rewterz Threat Advisory- Update: CVE-2020-1472 – NETLOGON Vulnerability Exploited in the Wild

Rewterz Threat Alert – New Ransomware Actor OldGremlin Hits Multiple Organizations

September 24, 2020

Rewterz Threat Alert – Mispadu Banking Trojan Resurfaces

September 24, 2020

Rewterz Threat Advisory- Update: CVE-2020-1472 – NETLOGON Vulnerability Exploited in the Wild – IoCs

Severity

High

Analysis Summary

A common and trending NETLOGON Vulnerability CVE-2020-1472 was reported earlier this month. When we explored this vulnerability, we came to conclusion that the attacker exploits this vulnerability through usage of MS-NRPC (Netlogon Remote Protocol). We further discovered that the exploitation technique includes Brute-force and DCsync for gaining access and escalating privileges. Recently, Microsoft reported IoCs for Zerologon exploit, with binaries currently used in the wild. Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. Microsoft has detected attacks where public exploits have been incorporated into attacker playbooks.

Technical Summary

1. The PCAP observed contains multiple failed login attempts on the critical server. The request were generated using NetServerReqChallenge.

2. Excessive brute force attempts were seen in the respective pcap. The Empty Password Set was used consisting of mostly zeros.

3. The function that was carrying the request were NetrServerAuthenticate3 and NetrServerReqChallenge

As per Microsoft, the NetrServerAuthenticate3 method is used to mutually authenticate the client and the server, establishes the session key for secure channel message protection between the client and the server. The NetrServerReqChallenge method SHOULD <166> receive a client challenge and return a server challenge (SC).

4. Excessive authentication calls clearly indicating a brute force followed by a success was observed.

POC

Following is the POC to test the vulnerability on a target server. Following Procedure was observed during POC:

1. Spoofing Host credential

2. Spoofing authenticaion call

3. Changing Host AD’s Password

Netlogon Logging

To enable Netlogon, run the following command

> nltest /dbflag:FFFFFFF

Logs can be reviewed from %SystemRoot%\Debug folder.

Impact

Privilege escalation

Affected Vendors

Microsoft

Indicators of Compromise

MD5

4bc217374731ae8289936ba2e422af76
d2d9898666f79d1a372aaf3abf3a3782
18ef846b444726a747a4b107acb88752

SHA-256

b9088bea916e1d2137805edeb0b6a549f876746999fbb1b4890fb66288a59f9d
24d425448e4a09e1e1f8daf56a1d893791347d029a7ba32ed8c43e88a2d06439
c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b

SHA1

69d725fd4059e69560aaebc3f720706aa154061c
9577be0570e464af72f385479bae9ee9c2a082d4
74b28a8d2656c56af7fe95e00522671530d2dc3e

Remediation

Block the threat indicators at their respective controls.
Immediately apply a patch if vulnerable versions are still running. Refer to the Security Updates section of the Microsoft advisory linked below.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472