What is the potential impact of CVE-2020-1472?

The successful exploitation of CVE-2020-1472 allows an attacker to impersonate any computer on the network, disable security features that protect the Netlogon process, and change a computer’s password associated with its Active Directory account.

What does an attacker need to exploit Zerologon?

In order to exploit Zerologon an attacker needs to be on the network. The attacker can gain access to networks by multiple means such as phishing, drive-by exploits, or additional means.

What event ids are enabled once the August 2020 patch is installed on a domain controller?

The following event ids are enabled once the August 2020 patch is installed on a Domain Controller: Log event IDs 5827 and 5828 log when a connection has been denied to the domain controller once enforcement mode has been enabled. , Log event IDs 5830 and 5831 log when a connection is allowed by the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. , Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed for both Windows and Non-Windows devices.

What actions can I take to protect my devices from the Zerologon Vulnerability?

deepwatch recommends taking the following actions in vulnerable environments to assist in further protecting devices: Action 1: Patch all systems with Microsoft’s August 2020 security updates and verify the successful installation with a vulnerability scanning tool, such as those from Qualys or Tenable, and your organization’s patch management tools. , Action 2: Enabling forwarding to SIEM devices or monitoring event id 5829 and monitoring for devices that are not utilizing a secure Netlogon. If a device is detected with event id 5829 recommended steps by Microsoft are as follows: Windows Systems , – Confirm the device(s) are running supported versions of Windows , – Ensure the system is fully updated. , – Check to ensure that Domain member: digitally encrypt or sign secure channel data (always) is set to enabled. , For non-windows systems acting as a Domain Controller and an event is logged , – Ensure the non-compliant DC supports secure RPC with Netlogon secure channel then enable secure RPC on the DC. , – If the non-compliant DC does not support RPC then the device manufacturer (OEM) or software vendor will need to update in order to support secure RPC with Netlogon secure channel. , – Remove the non-compliant DC. , If a non-compliant DC cannot support the RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: allow vulnerable Netlogon secure channel connections” group policy. Further information on this action can be found at the following location on Microsoft’s site: , https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc , Action 3: Enable DC enforcement mode after confirming all devices are compliant and will not break as a result of enabling. It should be noted the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers.

05.28.21

Threat Report

Significant Cyber Event | Intelligence Report – Nobelium

By Stephan Schenk,

Summary

Deepwatch is currently tracking and responding to Microsoft’s report regarding the Nobelium threat actor group. Nobelium is the threat actor behind the Solarwinds campaign, including Sunburst and Teardrop. Currently and traditionally, Nobellium has targeted government agencies, think tanks, consultants, and non-governmental organizations. During the current campaign, Microsoft has identified more than 150 organizations in 24 countries that have been targeted.

As in prior campaigns, the threat actors were able to compromise a legitimate service; this time it was USAID’s Constant Contact account. Constant Contact is a mass email marketing solution. Once they had control of the account, they were able to conduct targeted spear phishing campaigns that contained a malicious payload which would create a backdoor on the victim’s machine. The attackers could then pivot to data theft or further entrench themselves in the victim’s network.

As mentioned above, information is limited on the full scope of the attacks and as more information is made available, Deepwatch will review and provide you with an update. For the complete technical analysis, Deepwatch refers you to Microsoft’s report.

What can you do?

Deepwatch recommends that you immediately update your defense-in-depth technologies and signatures to provide you with the most up-to-date protections. We also highly encourage enabling Two-Factor Authentication (2FA) at a minimum, and Multi-Factor Authentication (MFA) preferably where appropriate.

In addition to this, Deepwatch recommends the following:

1. Update your anti-virus and Endpoint Detection & Response (EDR) to the latest signatures.
2. Log PowerShell activity from all Microsoft devices.
3. Quarantine or block all compression extensions and the compromised email addresses on your Security Email Gateway.
4. Review critical access groups to ensure only the appropriate personnel have access to critical systems and applications.
5. Enable data loss prevention mechanisms to monitor and block unauthorized file transfers.
6. Log web facing applications.
7. Review your logging standards to ensure Deepwatch is receiving all of your critical logs (e.g. Security Email Gateway, Web Application Firewalls, PowerShell, CLI, etc.).

What is Deepwatch doing?

Managed Detection & Response team is conducting a review for all customers who are currently sending network and email gateway logs to Splunk.
- Deepwatch is performing a year-to-date analysis of associated Indicators of Compromise (IOCs) across the customer base to identify potential targets.
- Detection Engineering is updating the emerging threat rules to include relevant IOCs.
Deepwatch’s Managed EDR and Firewall teams are evaluating IOCs to ensure that they are loaded into the security platform of choice.

IOCs

IP Addresses

192.99.221[.]77
83.171.237[.]173

Domains

worldhomeoutlet[.]com
theyardservice[.]com
usaid.theyardservice[.]com
dataplane.theyardservice[.]com
cdn.theyardservice[.]com
static.theyardservice[.]com
worldhomeoutlet[.]com

Email Addresses

[email protected][.]gov
[email protected][.]gov

Hashes

2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252
d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142
94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916
48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0
ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c
ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330