Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
UPDATE: As of the evening of September 23rd, Microsoft has confirmed that threat actors are exploiting CVE-2020-1472 in attacks in the wild.
The risks posed by CVE-2020-1472 (Zerologon) continues to increase as new Proof-of-Concept (PoC) exploit code has been released. Organizations that have not yet applied the August security updates from Microsoft need to do so as soon as possible to avoid being impacted. On September 18th, eSentire deployed detection for Zerologon to all esLOG customers.
This vulnerability, also known as Zerologon, is a Netlogon elevation of privilege vulnerability, affecting multiple versions of Windows Server . If exploited, threat actors can execute remote code, disable security features, and change computer passwords in Active Directory (AD). eSentire has identified an increase in Proof-of-Concept (PoC) exploit code being publicly released. Exploitation in the wild has not been publicly identified at this time but is expected in the immediate future.
What we’re doing about it
What you should do about it
As the severity of this vulnerability is Critical and Proof-of-Concept exploit code is widely available, eSentire has published this second advisory to remind clients to mitigate the vulnerability prior to its use in widespread attacks.
Due to the availability of exploit code and the high impact of successful exploitation, real world attacks are expected in the immediate future. Successful exploitation could lead to elevated privileges (such as domain administrator), making this exploit highly valuable for adversaries with a foothold inside of networks. For additional information on this vulnerability, see eSentire’s previous advisory on the release of Proof-of-Concept (PoC) code and technical details for CVE-2020-1472.
CISA Emergency Directive
On Friday September 18th, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive to all US federal agencies relating to the Zerologon vulnerability . Federal agencies were given four days to ensure that all vulnerable domain controllers were fully patched. Emergency Directives are an unusual step for government patch management. The directive was issued as there is a high probability that unpatched organizations will be impacted in the immediate future.
Availability and Efficacy of Exploits
The Threat Intelligence team has observed multiple Proof-of-Concept code releases since September 14th, 2020. The availability of exploit code greatly reduces the cost/complexity of weaponizing this vulnerability. Researchers have made improvements on exploit code, such as removing the requirement to reset passwords during exploitation . Benjamin Delpy, author of the Mimikatz suggested adding an exploit for Zerologon in an update to his popular offensive security tool.