Blumira Resources & Blog

Active Windows Exploits: CVE-2020-1472 and CVE-2019-1040

Written by Thu Pham | Nov 2, 2020 2:45:29 PM

In a recent advisory (PDF) issued by the U.S. National Security Agency (NSA), they caution that state-sponsored hackers are actively exploiting 25 different vulnerabilities in attacks against National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and the Department of Defense (DoD) information networks.

Attackers are exploiting Windows vulnerabilities for lateral movement and credential access, attempting to get access in order to move throughout your network and identify data to steal or systems to disrupt. Two vulnerabilities in particular were called out by the NSA as used by state-sponsored attackers, CVE-2020-1472 and CVE-2019-1040.

Critical Windows Vulnerability, ZeroLogon Netlogon: CVE-2020-1472

CVE-2020-1472 is one of the actively exploited vulnerabilities listed in the NSA advisory, rated as critical in security severity rating from Microsoft and ranking 10/10 on the CVSS scale (Common Vulnerability Scoring System).

Due to a flaw in the implementation of the Netlogon protocol encryption, anyone on a network can elevate their privileges to domain administrator. An attacker can establish a vulnerable Netlogon secure channel connection to a domain controller. That allows an attacker to gain access to your entire domain, enabling them to steal data, disrupt your network, deploy malware or ransomware, etc.

Zerologon Mitigation

This vulnerability affects Microsoft Windows Server 2008 – 2019. To mitigate, you should install the patch as soon as you’re able to, and implement additional instructions found in Microsoft’s support article (KB4557222).

Microsoft has planned a two-part phased rollout of Windows updates for mitigation – the first is to help protect Windows devices, as released in early August. The second phase will be released in Q1 2021 to enforce all devices (including non-Windows) to use more secure protocols with Netlogon secure channel. Microsoft’s security advisory for CVE-2020-1472 provides links to security updates and an FAQ on their plan.

CVE-2019-1040: Windows NTLM Vulnerability

A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. That means the attacker can downgrade Windows NTLM security features.

A man-in-the-middle (MitM) attack is when an attacker intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two (CSOOnline).

CVE-2019-1040 Mitigation

This vulnerability affects Microsoft Windows 7 – 10 and Microsoft Windows Server 2008 – 2019. The NSA advisory lists the additional mitigation option of limiting the use of NTLM as much as possible, and stopping the use of NTLMv1. Microsoft’s security advisory for CVE-2019-1040 provides resources on the specific security updates you need, and documentation on reducing the use of NTLM.

Detection & Response for Windows Security

Blumira’s cloud SIEM platform integrates with Microsoft’s Active Directory, Microsoft Windows Server, Microsoft Windows DNS, Microsoft Windows PowerShell and more.

Once integrated, Microsoft security event logs and alerts are streamed to Blumira’s platform, collecting and centralizing event information about users and computers to identify suspicious or threat-like events. Blumira correlates the data with known threats and detection rules, prioritizing alerts sent to your team with security playbooks to help guide you through incident response procedures.

A few examples of Active Directory detections include user behavioral analytics, password spraying, rogue domain administration and much more. Our integration with Active Directory is also commonly used for audit purposes defined in common compliance frameworks such as PCI DSS and NIST 800-171.

Want to Learn More?

Join us this Thursday! Patrick Garrity, VP of Ops at Blumira and Jacob Julian, Solutions Engineer at Blumira will discuss Windows security and best practices, and give a demo of how you can use Blumira to easily detect and respond to Windows security incidents.

In this roundtable discussion, you’ll learn about:

  • The basics of a Microsoft cloud security stack
  • Windows security detections and best practices
  • Office 365 and Azure security threats you should be able to detect

This interactive, conversational-style session encourages questions and engagement with viewers – so sign up today for access to our security experts.

RSVP to save your seat!

Download Your Guide to Microsoft Security

To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.

In this guide, you’ll learn:

  • How to use built-in Windows tools like System Monitor for advanced visibility into Windows server logs
  • How to configure Group Policy Objects (GPOs) to give you a deeper look into your Windows environment
  • Free, pre-configured tools from Blumira you can use to easily automate Windows logging to enhance detection & response
  • What indicators of security threats you should be able to detect for Microsoft Azure and Office 365