Microsoft has addressed companies who have not yet updated their systems to address the critical Zerologon flaw, a vulnerability in the cryptography of Microsoft's Netlogon process that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

Beginning with the February 9, 2021 Security Update release, Microsoft will be enabling Domain Controller enforcement mode by default, blocking vulnerable connections from non-compliant devices. The Domain Controller enforcement mode requires that all Windows and non-Windows devices use secure RPC (an authentication method that authenticates both the host and the user who is making a request for a service) with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device, said Aanchal Gupta, VP Engineering, MSRC. 

Gupta urged Microsoft customers to:

  • UPDATE Domain Controllers with an update released August 11, 2020 or later. 
  • FIND which devices are making vulnerable connections by monitoring event logs. 
  • ADDRESS non-compliant devices making vulnerable connections. 
  • ENABLE Domain Controller enforcement mode to address CVE-2020-1472 in the environment. 

According to Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, “This is a welcome move because it is such a potentially damaging vulnerability that could be used to hijack full Domain Admin privileges – the ‘Crown Jewels’ of any network providing an attacker with God-mode for the Windows server network. The Windows Group Policy continues to be extended in order to mitigate the ever-increasing array of potential vulnerabilities, but there is often a need to make the enablement of defenses a configurable option to ensure backward compatibility to older Windows machines. By defaulting this setting, it's clear that it is seen as too dangerous to leave open. [The] message to everyone is to patch often and regularly and ensure your secure configuration build standard is up to date with the latest [Center for Internet Security] or [Security Technical Implementation Guide] recommendations.”

The vulnerability, which has a 10 out of 10 (CVSS v3.1) for severity by the Common Vulnerability Scoring System (CVSS), has been actively exploited by many cybercriminals since its disclosure back in September 2020. "The Iranian APT MuddyWater actively exploited the flaw in cyberespionage campaigns; the threat group Chimborazo (TA505) took advantage of the flaw in financially motivated attacks; and the operators of the Ryuk ransomware variant used the vulnerability to launch extortion-based attacks. Reported attacks began occurring within just two weeks of the vulnerability being disclosed. APT10 (aka Cicada, Stone Panda, and Cloud Hoppe) was also observed leveraging ZeroLogon to target Japanese companies in November 2020," says Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions. 

"Considering the severity of the vulnerability, it is advised that all Domain Controllers be updated with the latest security patch as soon as possible," said Righi. 

Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, says, “This measure taken by Microsoft is a testament to the severity of the Zerologon vulnerability. Microsoft seems to expect that patching all device out there will take a substantial amount of time, so it takes this backup approach to mitigate the risk for its customers. The difficulty for those customers, given the pandemic situation of working from home, is to find and patch all vulnerable devices. It is time to scan and check all devices, monitor them for unwanted changes, to find and patch as quickly as possible.”