What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

12.18.20

Threat Report

Summary of deepwatch's Actions in Response to Sunburst IOC

By Neal Humphrey Rich Meeker

Executive Summary:

This should be observed as addendum to the deepwatch Significant Cyber Event released on Dec 14, 2020

Significant Cyber Event Link

In an effort to keep our customers up to date on the ongoing actions the deepwatch team has taken with the December 13 announcement of the “Sunburst” malware, the following timelines and information provide a summary of key areas for you to be aware of

Summary Timeline:

Sunday Dec 13. deepwatch was made aware of a SolarWinds Security Advisory – LINK
FireEye was one of the first to report on issues discovered with SolarWinds’ Orion product. They have since referred to the situation as “Sunburst” – LINK
After performing research into the event, deepwatch received and validated IOC’s and rolled them into deepwatch’s Threat Intelligence Platform for distribution and the enablement of active searches against customer data.
Searches were created and run across the deepwatch customer base for these IOC’s. If hits were observed individual customers were notified.
Monday Dec 14. deepwatch squads reviewed customer data and log sources for SolarWinds activities to help determine if customers need to be informed of patching requirements. Because SolarWinds is often deployed for monitoring and management of network infrastructure, customers do not forward to deepwatch event logs directly from the SolarWinds servers. deepwatch must rely on network log sources such as Firewalls, IPS, and DNS to help identify indicators of compromise.
deepwatch Vulnerability Management customers were notified at the same time, after a review was done on their SolarWind assets for version compatibility. Customer’s with both MDR and Vulnerability Management were informed not only of any alerts observed on the IOCs within their network but also if they have exploited versions of Orion installed or were patched ahead or behind those versions. This allowed for more targeted remediation through prioritized patching operations.
Monday Dec. 14. deepwatch sent all customer’s a notification and overview of the Sunburst compromise. LINK
On Tuesday, Dec. 15 an update to the recommended patching level was made as the recommended HotFix version from SolarWinds was updated.
- (2020.2.1 HF 2 (available December 15, 2020))
deepwatch has continuously informed our customers and partners through standard security operations Squad calls of up to date information concerning the breach and the detection or mitigation of any problems.
Additional information that has been relayed:
- Palo Networks Detections and Rules – LINK
- Snort OSINT Detection Rules – LINK
- Cisco Talos Information – LINK
Customers with Network Management services from deepwatch were contacted and updated IOCs and detection rules deployed to their network defenses as new detections were created by their infrastructure vendors.
deepwatch squads and threat hunters continuously monitor for additional information or alerts within impacted customer networks. This is an ongoing campaign even after the killswitch actions that occurred on Dec. 16 – LINK
For the latest information on Sunburst, visit the DHS Cyber website : – LINK

Current MDR Updates:

deepwatch Updates	Category	Actions	Status
Threat Operations	Indicators of Compromise	IOAs and IOCs updated leveraging information provided by multiple verified sources	Dec 13 IOCs are updated daily
Customer Detection Use Cases	Splunk Queries	Perform manual searches based upon information as it becomes available, such as DNS, C2C traffic, SolarWinds Installations, IPS Events, Firewall Traffic.	Dec 13 – 14 Detection Use Cases Live and in Use.
Detection Engineering	Detection Updates	Updated IOAs and IOCs in use with Global and Customer specific Detection Use Cases.	Dec 14 Detection information and enrichments continue to be collected.

Three-Part Sunburst Blog Series Coming Soon

Stay tuned over the next few weeks for a three-part series that we are putting together on our blog to cover Sunburst. In Part I we will examine the timeline of events and what we know so far, as well as provide some insights and thoughts around what this means for the cybersecurity industry moving forward. Part II will map the attacker’s timeline to the MITRE ATT&CK Framework, identifying potential gaps in visibility and providing recommendations for data sources to closely monitor. Part III will examine the path forward and how a holistic approach to data aggregation and visibility is the only way to detect sophisticated attacks like this one.

Subscribe to the deepwatch Insider Blog

Neal Humphrey

Neal Humphrey currently serves deepwatch as Director, Solutions Architecture. Throughout his 20 year career in the security industry Neal has held a variety of roles including Principal Security Engineer at SourceFire, Technical Solutions Architect for Cisco, and as a Director of Threat Intelligence Engineers at ThreatQuotient. Neal has worked with small to medium sized businesses as well as enterprise level organizations to help their security teams identify and solve Cyber Security Operation challenges, as well as help them understand and mature Security Architectures and processes.

Rich Meeker

Rich Meeker is deepwatch’s Technology Alliance’s Director. A seasoned veteran with over 20 years of experience in Information Security, he has helped customers understand how they can better align their Security Architecture and Program to meet the needs of the business. In his career, Rich has been a Security Architect, led a large network Security Consulting practice, and held various certifications such as CISSP and CISM.

Threat Report

Summary of deepwatch's Actions in Response to Sunburst IOC

By <img width="80" height="80" class="author-picture" src="https://www.deepwatch.com/wp-content/uploads/deepwatch-Blog-Author-80x80.jpg"> Neal Humphrey <img width="80" height="80" class="author-picture" src="https://www.deepwatch.com/wp-content/uploads/rich-meeker-headshot-80x80.jpg"> Rich Meeker

Share this entry

Subscribe to the deepwatch Insider Blog

Neal Humphrey

Rich Meeker

Related Posts

Threat Report

SolarWinds Attack - Part I - From Infrastructure to Endpoint

Vulnerability SPOT Report

ZeroLogon Threat Review

Threat Report

Meet the Threat: The Inside Workings of Magecart Breaches

let’s talk.

By Neal Humphrey Rich Meeker