What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

04.22.21

Threat Report

CVE-2021-22893 – Pulse Secure VPN Zero-Day & Active Exploits

By Deepwatch,

Executive Summary

Deepwatch is currently tracking and responding to multiple advisories stating that Pulse Secure VPN appliances are being exploited by both a zero day exploit in conjunction with other, older exploits. According to external intelligence sources, these attacks appear to be primarily targeting defense, government, and financial organizations.

Affected Versions:

PCS 9.0R3 and Higher

What Can You Do?

Deepwatch recommends following Secure Pulse’s advisory[1] to:

Implement Pulse Secure’s provided workaround for the zero day vulnerability (CVE-2021-22893 can be mitigated by importing the Workaround-2104.xml file)
Run the Pulse Connect Secure (PCS) Integrity Assurance to check the integrity of the Pulse Connect Secure appliance’s file system
At your network perimeter, block the following URI paths known to be leveraged in these attacks:
- ^/+dana/+meeting
- ^/+dana/+fb/+smb
- ^/+dana-cached/+fb/+smb
- ^/+dana-ws/+namedusers
- ^/+dana-ws/+metric

In May, a security patch is expected to be released as a final mitigation for the zero day vulnerability currently being exploited.

What is Deepwatch Doing?

Managed Detection & Response team is reviewing customers who are currently sending Pulse Secure VPN logs to Splunk
- Deepwatch is performing a 90 day look back of associated URI Indicators of Compromise (IOCs) across the customer base to identify potential targets
Vulnerability Management will be researching the presence of both the zero-day vulnerability and Pulse Secure VPN in customer environments. As detections for this vulnerability were just released by both Tenable (Plugin ID 148847) and Qualys (QID 38838) this week, any given environment would require a new scan to validate the presence of the vulnerability. Thus we will be both checking for whether the VPN exists, as well as if the vulnerability has shown up in any customer environments to date. If found in the environment, we recommend following workarounds provided by Pulse Secure in their advisory mentioned above.

CVEs

IOCs

URI Paths

^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric

Hashes

Per CISA’s advisory[3], the following files have been observed providing webshell functionalities:

DSUpgrade.pm
- MD5: 4d5b410e1756072a701dfd3722951907
Licenseserverproto.cgi
- MD5: 9b526db005ee8075912ca6572d69a5d6
Secid_canceltoken.cgi
- MD5: f2beca612db26d771fe6ed7a87f48a5a
Compcheckresult.cgi
- MD5: ca0175d86049fa7c796ea06b413857a3
Login.cgi
- MD5: 56e2a1566c7989612320f4ef1669e7d5
Healthcheck.cgi
- MD5: 8c291ad2d50f3845788bc11b2f603b4a
Libdsplibs.so
- 416488b6c8a9bdb9c0cb592e36f44677