New Windows Vulnerability Enables Domain Takeover

The Windows operating system has been an all-time favorite target for several cyber attackers due to its massive market share and its predisposition to a large number of vulnerabilities. Recently, a vulnerability was identified by researchers in Windows servers that could allow an attacker to access the internal networks and become domain admin.


What was found?

Identified and tracked as CVE-2020-1472, the flaw may allow an attacker to become a domain admin via a new attack dubbed Zerologon.
  • The Zerologon attack is based on the exploitation of the privilege escalation vulnerability, CVE-2020-1472, which resides in Netlogon. 
  • The Netlogon authentication mechanism is primarily used to verify login requests in the Windows Client Authentication Architecture.
  • To exploit this vulnerability, the attacker needs to connect to a domain controller via a Netlogon secure channel connection using the Netlogon Remote Protocol (MS-NRPC).
  • Once connected, the attacker can obtain domain administrator access and use it in carrying out malicious activities.


Other Windows threats

  • In August, an updated variant of Lemon_Duck cryptomining malware was seen targeting the SMBGhost (CVE-2020-0796) vulnerability in the Windows SMBv3 Client/Server RCE
  • In July, Microsoft had patched a wormable (i.e. self-propagating) vulnerability dubbed Sigred that affected Windows DNS. Tracked as CVE-2020-1350, this vulnerability is capable of jumping across vulnerable machines without any user interaction.


Conclusion

In its August 2020 Patch Tuesday security updates, Microsoft had provided a temporary fix, and a complete patch is expected by February 2021. Besides these updates, users are recommended to apply the patches for all the deployed applications, firmware, and Windows OS to stay protected.