Bad Password + Zerologon = Ransomware

In the August 2020 monthly patch rollup, Microsoft patched and also released extra guidance for a critical vulnerability in the Netlogon service.  This vulnerability allows for easy and complete takeover of an Active Directory Domain Controller.  And the only requirement to exploit this vulnerability is network connectivity to the Domain Controller.  This means that if ANY of your end-users have a poor password, your entire Windows network can be taken over.  And it is already happening.

The attack is quite simple.  A regular end-user has a bad password.  Attackers can figure this out in the typical manner – a password spray or credential stuffing attack.  Once they know the credentials for a user account, the attackers perform a scan of the companies public infrastructure to find the VPN device.  They log into the VPN with the compromised credentials and now have direct network connectivity. The attacker uses this recent Netlogon vulnerability to gain SYSTEM level permissions on the domain controller which means that can basically do anything they want after that, because they can create a new Domain Administrator account.

And now with a Domain Administrator account in hand, the attacker can trigger a very thorough crypto-malware attack across the entire organization.  Ransomware with the reduced privileges of a normal end-user account is bad enough.  But ransomware from a Domain Administrator can be debilitating.  Not only can it encrypt important company data, but also system files which can bring down every Windows systems.  Most companies have good backups of servers.  But most companies do not back up workstations.  It could take weeks or months to rebuild or replace all the workstations.

Obviously, organizations need to follow Microsoft’s guidance on patching this vulnerability as soon as possible.  But there has been similar vulnerabilities before, and there will surely be similar ones in the future.  So, organizations should also deploy Password Firewall for Windows to prevent the use of bad passwords that lead to account takeover and much, much worse.