Tamer Odeh, Regional Director at SentinelOne in the Middle East, talks about the Zerologon vulnerability and explains how the solution offered by SentinelOne plugs this vulnerability.
Cyber safety and digital security concerns have been on the rise since the beginning of 2020, as more people spent more time online. The COVID-19 pandemic has increased user’s vulnerability to cyberattacks in the UAE, as hackers prey on employees working from home. The UAE is among the most vulnerable Gulf countries to cyberthreats, with over 100,000 cyber-attacks foiled in the country in June 2020.
Among cyber-security concerns are vulnerabilities, which are, in essence, weaknesses which can be exploited by a cyberattack to gain unauthorized access to the system, or perform unauthorized actions.
CVE-2020-1472, more popularly known as “Zerologon”, is a critical vulnerability in all versions of Microsoft Windows Server that are currently supported (Windows 2008 R2, 2012, 2016, 2019). This privilege escalation vulnerability leverages a flaw in the Netlogon Remote Protocol (MS-NRPC) and allows an attacker to impersonate a system, including the machine account of the domain controller itself.
The vulnerability, discovered by security expert Tom Tervoort of Secura, allows a remote attacker to forge an authentication token for Netlogon to set the computer password of the domain controller to a known value. After that, an attacker can use the new password to take over the domain controller, alter or add additional authentication credentials, escalate privileges or move laterally to other machines in the domain.
Detecting and Defending Against Abuse of Zerologon
From an endpoint perspective, this attack can be challenging to detect as the attacker is essentially authenticating to the domain in a manner resembling a legitimate user. In addition, the primary attack vector is at the network level, as opposed to through interaction with a host’s filesystem. As a result, addressing the flaw directly is ‘out-of-scope’ for many traditional endpoint security solutions.
In contrast, SentinelOne researchers have taken a vector agnostic approach that leverages some unique, proprietary innovations to enable detection of this exploit on the endpoint. Our SentinelLabs research team has been running numerous tests across various available frameworks. During our analysis, we observed that this attack, while successful, will also be highly noticeable on the domain controller as the attack negatively affects communications with the domain controller in numerous ways.
As a result of our research, the SentinelOne platform is able to both detect initial exploitation as well as the post-exploitation attacks on a targeted system. While this attack starts from the network, the endpoint is fully aware of the incoming traffic attempts.
When a suspicious activity is detected, a threat is raised allowing for an in-context alert to be shown in the management console. This critical detection is available now on specific SentinelOne versions, which will help keep cyber-attackers and hackers at bay. With this solution, SentinelOne is helping customers stop Zerologon exploits from the endpoint. Given the historical difficulties organizations have patching, the solution will protect SentinelOne customers from having the critical vulnerability exploited.