Detecting ZeroLogon with Zero Signatures

September 22, 2020
Stephen Malone
Senior Product Manager
Detecting ZeroLogon with Zero Signatures

Fast moving critical vulnerabilities or zero-days expose the weaknesses of legacy cybersecurity products that rely on signatures to match threats. Signatures are useful for providing continued protection against known and historic threats, but can't do much for new threats until the vulnerability is found by security researchers and a new signature is created. Exploitable vulnerabilities can exist for years before they are found by security research, leaving you exposed and vulnerable. For a vulnerability such as ZeroLogon, given the power and speed of the exploit, any delay in protection could see the end of your business.

Vectra however has a fundamentally different approach to cybersecurity. Vectra's sophisticated attacker behavior AI/ML models are designed to detect attack behavior regardless of the specific tools or signatures used in the attack. As such, Vectra AI customers have substantial detection capabilities for attack campaigns that might leverage this new vulnerability—even before the vulnerability was announced.

It has been a busy time for these legacy cybersecurity products as they scramble to create signatures, and give their customers some level of protection against this exploit. Those new signatures will help of course, but for some they will come too late, and it's only a matter of time before the exploits change slightly to circumvent these protections. In the recent days we have seen many of our competitors (ExtraHop, CoreLight & Awake for example) scrambling to release new ZeroLogon signatures after the vulnerability disclosure. What about before that? Was there any coverage? Are we to believe that vulnerabilities are only exploitable when disclosed by security research?

Vectra Detect AI/ML behavioral models had you covered even before the vulnerability was disclosed

To successfully use this exploit, the attacker needs to be on the local network. For external attackers, Detect would see command and control (C&C) from the compromised host in the form of External Remote Access, Hidden HTTP/HTTPS/DNS Tunnel, or Suspicious Relay. After exploiting the vulnerability (whether an external or internal attacker) we would likely see DCSync which is covered by RPC Targeted Recon. Once the attacker gained admin access, our sophisticated privileged access analytics (PAA) detections cover the usage of this new access. Other models like Suspicious Admin, Suspicious Remote Execution, and Suspicious Remote Desktop also provide coverage on lateral movement. RDP Recon and RPC Recon could be expected as external attackers find their way around the network.

Cognito Detect protects against your business from emerging, zero-day and fast-moving threats by focusing on the things that don't change, i.e. attacker behavior, rather than signatures that are reactive and easily bypassed.

Gaining additional visibility with Vectra Recall or Stream

Detect's focus on finding attack behavior is a truly durable mechanism to find attackers. Vectra Recall or Stream supplement our advanced detection capabilities enabling deeper investigations & threat hunting. For the ZeroLogon vulnerability, we have published a new Recall dashboard (NetLogon Exploit Dashboard) to give you more visibility into attempts to leverage this vulnerability within your network.

Sample Dashboard in Cognito Recall tracking potential cases of ZeroLogon

About ZeroLogon

A maximum severity CVE (ZeroLogon - CVE-2020-1472 - CVSS 10) was recently reported which enables an attacker to gain the master key to your network, Domain Admin credentials, incredibly quickly and easily without requiring any kind of privilege beyond the ability to emit traffic to your network. This vulnerability is caused by a fault in how Windows Server OS handles the NetLogon RPC protocol which enables the attacker to forge their identity in a password reset event and reset any password including those of Domain Controller machine accounts.

Microsoft has since patched vulnerable versions of Windows Server; everyone is encouraged to apply these patches as soon as possible. Further information on the vulnerability can be found here and information from Microsoft on impacted versions and patch information can be found here.

If you’re ready to change your approach to detecting and responding to cyberattacks, and to get a closer look at how Recall can find attacker tools and exploits, schedule a demo with Vectra today.