70.2 F
Tuesday, January 19, 2021

Cynet Uncovers Zerologon Exploits with a Free Analysis & Detection Tool

Cynet has announced the Zerologon Analysis & Detection Tool in response to the Zerologon vulnerability, also known as CVE-2020-1472.

According to Cynet, Zerologon continues to be a threat even after the availability of the Microsoft patch as exploits may have impacted Windows Server environments prior to implementing the prescribed updates. Moreover, Zerologon continues to be actively exploited as many organizations have not yet implemented the patch because of the expected disruption to IT operations.

Zerologon is a potentially dangerous authentication bypass vulnerability that permits cyber-criminals to exploit the Windows Server Netlogon Remote Protocol (MS-NRPC) authentication process. To support security professionals in managing this threat, Cynet has released the free Zerologon Analysis & Detection Tool which determines if a Zerologon exploit was executed in the user’s IT environment. It is essential that administrators address exploits quickly as they can lead to devastating breaches and system disruption.

One of the cryptographic components that facilitates the Zerologon vulnerability is AES-CFB8 Encryption. This encryption has been implemented in an unsecure way, and as result, creates the vulnerability. Cynet 360 customers already have detection mechanisms in place for vulnerabilities and exploits such as this and many other attacks. Due to the magnitude and potential impact of this vulnerability, Cynet is now releasing two detection mechanisms for the wide community that provides visibility of exploits targeting the Zerologon vulnerability.

The first of these detection mechanisms is the YARA rule, which can be used to scan memory dumps of lsass.exe. The rule will alert upon detection of Mimikatz or other Zerologon exploits. The second detection mechanism is an executable file, Cynet.ZerologonDetector.exe, which detects spikes in network traffic of lsass.exe from a given IP. The YARA rule can detect attacks that occurred prior to its deployment and provides an indication after detecting a Zerologon exploitation.

Cynet’s free detection tool is non-intrusive, the company says, and based on Event Tracing for Windows (ETW) from Microsoft.



Related Articles

Watch Communications and BEC Technologies Partner to Expand Rural Internet Access

Watch Communications has selected BEC Technologies as the CPE partner for its fixed wireless deployments. An ISP with residential and business customers throughout the Midwest,...

TPx Integrates Enterprise Voice with Microsoft Teams

TPx now offers enterprise voice service for Microsoft Teams through an integration with its UCx UCaaS platform. With the UCx-Microsoft Teams integration, businesses can access...

PTC Announces PCCW Global’s Sponsorship of its 2021 Webinar Series

The Pacific Telecommunications Council (PTC) announced Monday during its annual convention in Hawaii, the continuation of its 2021 PTC Webinar Series: Frictionless Business will...

Granite Earns Highest Designation as Fortinet Expert Solutions Provider

Granite Telecommunications has enhanced its partnership with Fortinet, a global leader in integrated and automated cybersecurity solutions, by achieving the highest designation as a...

Infosys Introduces Infosys Cobalt to Democratize AI

Infosys, a global leader in next-generation digital services and consulting, has launched its Infosys Cobalt offering – its applied AI cloud, built on the NVIDIA...