Since Windows inception is has always been plagued with serious and easily exploited vulnerabilities. "zerologon" is no exception. DHS's Cybersecurity and Infrastructure Agency (CISA) stated in its directive that it expected imminent exploitation of the flaw.
Given the vulnerability reference CVE-2020-1472 it's explained as "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability".
As Bad As It Gets
Microsoft's Security Intelligence unit tweeted that the company is "tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability."
"We have observed attacks where public exploits have been incorporated into attacker playbooks," Microsoft said. "We strongly recommend customers to immediately apply security updates."
Microsoft did release a patch for the vulnerability in August but commonly businesses delay deploying updates for days or weeks while testing to ensure the fixes do not interfere with or disrupt specific applications and software.
This vulnerability is extremely easy to exploit and will give an attacker complete control over the Windows domain. It's as bad as it gets and will spawn a new generation of ransomware attacks.
In just the last few years ransomware has bloomed into what could be a billion-dollar industry with easy to use malware tool kits and even brokerage services to mediate between the victims and attackers. Barely a day goes by without news of a local government institution or private company paying out, in some cases hundreds of thousands of dollars to decrypt their files.
This is not going away and for large companies that need to provide enterprise solutions to their users domains will likely still be the only option for the foreseeable future. But for small business, the risk is too high for the benefits of Windows Domains.
Ditch The Domain
We truly believe that having domain controllers and connection Windows workstations is not completely unnecessary for small business.
These type of networks are the target for most ransomware and the functionality that ties Windows computers together is its downfall. Often entire businesses are overrun almost instantly when malware hits.
There are plenty of cloud services that can provide anything that a Windows domain can. Most small companies adopted Windows for email and file sharing capabilities. There are some excellent, cheap cloud services that offer these services with superior functionality.
A quick google search reveals some Outlook alternatives:
Not every business can run Apple OSX and Mac's are too expensive for some small companies however Windows workstations can operate after having their connection to the domain cut. Granted in the short term some painful adjustments might need to be made to replace domain-based services.
But we honestly believe this pain is worth it, to avoid a complete systems wide failure from a malware attack.
As a small business it's time to ditch the Windows domain controller hiding in the cupboard and move to the cloud.
-- The Escaped Team --