Governance & Risk Management , IT Risk Management , Next-Generation Technologies & Secure Development

Agencies Urged to Patch Netlogon Flaw Before Election

Microsoft and CISA: Unpatched Flaw Could Make Government Systems Vulnerable to Hackers
Agencies Urged to Patch Netlogon Flaw Before Election
Photo: Microsoft

Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency are urging local government agencies to patch the Windows Netlogon vulnerability known as Zerologon ahead of next Tuesday’s presidential election to improve security.

See Also: Live Webinar | From Risk-Based Vulnerability Management to Exposure Management: The Future of Cybersecurity

Microsoft “has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol,” writes Aanchal Gupta, vice president of engineering for the Microsoft Security Response Center, in a blog post.

The software company notified CISA, which issued an alert “to remind state and local agencies, including those involved in the U.S. elections, about applying steps necessary to address this vulnerability.”

Exploited in Minutes

A partial fix for the Netlogon flaw was issued Aug. 11, and Microsoft plans to roll out more changes early next year.

CISA says in its advisory that it “has observed nation-state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial government networks.”

The agency stresses: “Until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes.” CISA has also released a script to find unpatched domain controllers.

The vulnerability, CVE-2020-1472, resides in the Windows Netlogon Remote Protocol, or MS-NRPC, which is an authentication component of Active Directory that organizations use to manage user accounts, including authentication and access.

The vulnerability can’t be remotely exploited. But if an attacker is already on a network, the flaw could allow the hacker to impersonate a machine on the network and gain control of the domain controller. From there, an attacker could disable security features and change passwords.

FBI: Misinformation Will Abound

The alerts about fixing the flaw come as the U.S. government remains on high alert for foreign interference during the election. One of the fears is that state-sponsored groups could take advantage of Netlogon or other vulnerabilities and tamper with election-related websites, deploy ransomware or conduct other disruptive activities while votes are being tallied.

On Oct. 21, Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray warned that Iran and Russia had increased cyber activity against local U.S. government bodies.

Iran was blamed for sending thousands of threatening emails to registered Democratic voters warning that they should vote for Trump (see: US Alleges Iran Sent Threatening Emails to Democrats).

Elvis Chan

CISA also issued an advisory that a Russian group dubbed Berserk Bear had targeted dozens of local government networks. The group has exfiltrated data from two servers (see: US Officials Blame Data Exfiltration on Russian APT Group)

In an interview earlier this week with ISMG, FBI Supervisory Special Agency Elvis Chan predicted that misinformation is going to increase around Election Day and that “there’s going to be a lot of noise.”

Chan advised U.S. voters that the most accurate voting tallies will come from country or state-level election websites (see FBI on Election: 'There's Going to be a Lot of Noise').

“Don’t just trust stuff coming out of your social media feed or out of your social media groups,” says Chan, who investigates cybersecurity-related national security issues, including foreign misinformation. “You should really go to accurate sources of news.”

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.