What it means for healthcare organizations and what can be done

This week, in a series of Tweets, Microsoft warned that bad actors have been observed using the Zerologon vulnerability in their attack activity. They noted they had “observed attacks where public exploits have been incorporated into attacker playbooks” and they “strongly recommend customers to immediately apply security updates for CVE-2020-1472.”

Given the pervasiveness of Windows Server systems that are vulnerable, healthcare delivery organizations could have some devices within their environment at risk. We recommend these impacted systems be patched as soon as possible. However, most medical, IoMT and IoT devices are unmanaged, so they won’t have a domain controller and are less likely to be at risk.

Background on the Zerologon Vulnerability 

A month ago, as part of “Microsoft Patch Tuesday,” Microsoft released a patch for CVE-2020-1472, which was described as a critical elevation of privilege (EoP) vulnerability. This vulnerability,  also known as “Zerologon,” received a CVSS score of 10 out of 10 for severity. If successfully exploited, an unauthenticated attacker could gain administrative access to a Windows domain controller, which would basically give the attacker carte blanche access to everything in the network. 

Just last week, on September 18,  the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for federal agencies to urgently patch the vulnerability. In the directive they indicated the “vulnerability poses an unacceptable risk” and they have seen “the availability of the exploit code in the wild,” which makes it increasingly likely that vulnerable systems are in imminent danger. 

Zerologon Details 

The Zerologon vulnerability affects Windows Server OSes that use a particular Netlogon protocol, which is found in Windows Servers from Server 2008 to Server 2019. It is made possible by a flaw in AES-CFB8, which is what the Netlogon protocol uses for encryption. According to Secura’s report, “Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain.” 

By sending a series of Netlogon messages filled with zeros (hence the name), any attacker on the local network can elevate their privileges to those of a domain administrator, which gives them access to almost everything. In order to exploit this vulnerability, an attacker only needs to have a foothold in the network and know the IP of the domain controller (DC). Once they have control, they can change the passwords of any computer in the domain, granting them entry to any of the network’s resources.

The impact of a successful exploit could be devastating. An attacker has access to the entire domain, leaving them free to launch other attacks, steal, snoop or change data, take down service, and much more. 

Implications for Healthcare

Like any other computer network, this vulnerability can affect any device in a domain with a DC that has been compromised. This means, depending on the devices in the domain, a successful exploit of the Zerologon vulnerability could put regulated patient data and even care at risk. Luckily, most medical, IoMT and IoT devices tend to be unmanaged, which means they don’t typically have a DC so they are less likely to be affected. Healthcare organizations should focus their efforts on protecting the devices that are managed by patching vulnerable DCs as soon as possible, subject to manufacturer’s approval. 

Mitigation Recommendations for Healthcare

To mitigate the risks from the Zerologon vulnerability, Microsoft has a two-phased approach: 

There is an open-source tool created by Secura that can help organizations test whether their network is vulnerable. Customers of Medigate can run a query to see which devices may have this vulnerability. We recommend healthcare organizations look at all the devices in their environment to understand their exposure and then patch, pending vendor approval, to ensure there are no disruptions to operations. Contact us today to learn more about what that might look like and how that might be accomplished