What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

Chasing Silver Sparrow | macOS Malware

Silver Sparrow – Huh?

Silver Sparrow is malware that was discovered by Red Canary detection engineers. As security professionals, we’re used to most malware being targeted for Windows operating systems. This is due to the fact that Windows just has a larger amount of targets available for a hacker to be successful. However, this is actually a macOS piece of malware that leverages a strain of macOS malware using LaunchAgent. This previously undetected strain of malware is unique in that this particular variant of malware does not behave similarly to recent macOS malware recently found in the wild.

This malware is a little more mysterious than others due to its unusual target, which appears to be targeting Apple’s new M1 ARM64 architecture. Given that versions of this malware are compatible with the new M1 chip, combined with its ability to infect at high rates, poses a sophisticated threat payload delivery capability on a global scale. Red Canary stated that it’s “…an activity cluster that includes a binary compiled to run on Apple’s new M1 chips…”

What Happened

Luckily, all known instances of Silver Sparrow macOS malware didn’t include a payload. This is a positive outcome considering that it made its way to about 40,000 Macs. If thinking like an attacker, one could derive that the malware developer was staging for a larger scale payload deployment in mass. In most attacks, an attacker usually follows a series of steps which follow along the line of a type of reconnaissance to delivering a payload which then opens up a multitude of opportunities to perform bad activity.

Since the payload wasn’t actually included in the malware, this indicates that a potential large scale plan was being acted upon. Think of it like the most basic military strategy in war:

As noted in the diagram, the last part in this scenario wasn’t performed by the actor successfully. It appeared that the attacker was still in the staging phase. All 40,000 could’ve been used for a myriad of bad activities such as DDoS, large scale data exfiltration, or a mix of whatever the actor wanted. If Silver Sparrow wasn’t detected, more Macs could’ve been infected which makes the actor’s “army” larger and better for a wide-spread attack.

Resolution

Apple acted quickly to remediate its vulnerability by revoking the certificates used on the bad actor’s developer accounts used to assist in delivering the malware onto victim’s devices. This essentially halts any new devices from being infected by Silver Sparrow macOS malware and any other type of program written by the malware’s creator if they use those same accounts and if the same tactics are used. However, it’s unknown if something similar is still happening without anyone noticing.

Recommendations

Besides Apple remediating the malware as mentioned above, most Endpoint Detection and Response (EDR) solutions now have signatures in place for detecting and protecting against this malware. Ensure that your network has the most updated version of EDR signatures, all security patching has been applied for the OS, and as always, don’t click on anything from any email coming from someone you don’t know as that is the easiest way of delivering malware to a computer.

What’s Next

deepwatch is continuously monitoring this across all our customer environments. As a part of our normal process, malware such as this is at first analyzed to gather as much information as possible, a retrospective analysis follows and any response actions are then applied.

As a more advanced solution, deepwatch also investigates variants of malware with high priority such as this. This includes looking at malware that is similar to the originally reported one. We do this as a proactive measure to ensure that the unknowns have been addressed with appropriate due diligence. In other words, we’re geeks that love going down the rabbit hole. We love finding things that weren’t found before and applying solutions before anyone else.

Threat Report

02.18.21

Threat Report

Chasing Silver Sparrow: Keeping an Eye on the Mysterious macOS Malware

By Randy Grant

Silver Sparrow – Huh?

What Happened

Resolution

Recommendations

What’s Next

Supporting Information

Subscribe to the deepwatch Insider Blog

Randy Grant

let’s talk.

Threat Report

Chasing Silver Sparrow: Keeping an Eye on the Mysterious macOS Malware

By Randy Grant

Silver Sparrow – Huh?

What Happened

Resolution

Recommendations

What’s Next

Supporting Information

Share this entry

Subscribe to the deepwatch Insider Blog

Randy Grant

Related Posts

Threat Report

Microsoft Exchange Server Zero-Days

Threat Report

Windows Event 4688 - Part I - Eh to Excellent

Threat Report

SolarWinds Attack - Part II - Is MITRE ATT&CK Falken's Maze?

let’s talk.