Cybercriminals are increasingly using an elevation of privilege vulnerability in Microsoft Netlogon Remote Protocol, a remote procedure call (RPC) interface designed for user and machine authentication on domain-based networks, according to the Cisco Talos cyber threat intelligence group. The Netlogon vulnerability was initially outlined in a Microsoft Patch Tuesday update last month.
By exploiting the elevation of privilege vulnerability, cybercriminals can establish a Netlogon secure channel connection to a domain controller (DC) and run a specially crafted application on a network device, Cisco Talos noted. They also can leverage the vulnerability to impersonate a computer and gain access to domain administrator credentials, Cisco Talos noted.
How to Guard Against the Netlogon Vulnerability
Microsoft recommends blocking non-signed or sealed connections to guard against the Netlogon vulnerability, Cisco Talos noted. It also is using a two-phase approach to help organizations address the vulnerability by modifying how Netlogon handles the use of secure channels.
During the initial phase, Microsoft is urging organizations to deploy Netlogon security updates released Aug. 11, 2020. These updates ensure that Windows devices and DCs are protected against the Netlogon vulnerability.
Furthermore, Microsoft is encouraging organizations to monitor and address potential Netlogon issues before the second phase of security updates are released in the first quarter of 2021. The second phase will enable organizations to move DCs into enforcement mode, and it will protect Windows devices by default, log events for non-compliant device discovery and add the ability to enable protection for all domain-joined devices with explicit exceptions.
Netlogon customers will be notified about the second phase of the vulnerability mitigation as soon as it begins. They also can register for Microsoft's security notifications mailer to be alerted about content changes to its original Netlogon vulnerability advisory.
