Posted on September 14, 2020 at 4:59 PM
Some researchers recently discovered and shielded Microsoft Windows from double exploits even though Microsoft had never issued patches.
Unknown to most people, Microsoft had last month patched one of the most dangerous bugs it ever reported. This problem would have enabled hackers to quickly take over Windows operating servers as enterprise networks’ domain controllers.
Microsoft identified the bug as CVE-2020-1472 and subsequently had it patched last month. The bug was referred to as an elevation of the user’s privilege in Netlogon. It is a protocol that authenticates users to be able to access domain controllers.
This flaw was categorized with a maximum severity score of 10. However, the details were never disclosed to the public. This lack of full public disclosure means that the IT administrators and users failed to appreciate its severity.
Take over a system’s domain controller by using several zero
However, in a recently released report, the Dutch-based security firm known as Secura BV finally gave an in-depth report on the elusive bug. They have since made public a detailed report that profoundly explains the manner that CVE-2020-1472 works.
And based on the report, the bug is worth a severity score of 10.
Based on a report by Secura experts, this bug, referred to as Zerologon, exploits weak cryptographic algorithms applied in the authentication process for Netlogon.
What the bug does is to manipulate the authentication procedures for Netlogon and fakes the identity of any network-connected computer during the process of authenticating against a system’s domain controller.
Deactivate the security features used for shielding the authentication process for Netlogon. Change the password of a computer on the Active Directory (a network database of all computers and their passwords connected to a domain) of the domain controller.
One of the reasons for experts naming the bug as Zerologon is that the system attacks systems by adding several zero characters in specific authentication parameters for Netlogon.
One thing unique about this attack’s nature is that it can happen pretty fast and can take a maximum time of three seconds. When attackers hack networking systems with Zerologon, there are no limits to the extent of the damage.
For instance, the attacker can also imitate the domain controller’s identity and then alter its password. This will then give the attacker access to take over the full network of a corporation.
Take over the full network of a corporation with just three seconds
The attack with Zerologon however, comes with certain limitations. For a start, you can never use this tool to take over any Windows Servers when you are not inside the network. Before they can successfully execute the attack, the hacker must first get inside a company’s network.
Them thing here is that if this condition is finally met, then the company can be hijacked.
Additionally, the bug also acts as a boon for gangs who use ransomware and malware. These hacker tools usually work by infecting a computer inside a company’s network and further spreading to other computers.
There are more available patches to come
However, it was never easy for Microsoft to put a plug to the leak. The fixing solution meant that the organization had to change how billions of computers were used to connect to corporations. This meant that they had to disrupt the operations of numerous companies effectively.
Furthermore, the process of fixing the patch shall be executed in two phases. The first phase was completed this past month when the company developed a temporary solution for the attack by Zerologon.
The temporary solution made the security features of Netlogon (which is being disabled by Zerologon) a must for all authentications involving Netlogon. This is effectively used to break attacks by Zerologon.
However, Microsoft is set to launch a more permanent solution in February 2021, if the attackers can maneuver around the patches delivered in August. Unfortunately, Microsoft expects this more recent to break up some device’s authentication process.