en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach#Impact
2 corrections found
"Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached.
Zerologon did not directly reveal all usernames and passwords on a network. Microsoft and the vulnerability’s discoverers describe it as letting attackers spoof a domain controller or change its machine password, which can then enable domain takeover and credential theft.
Full reasoning
This sentence inaccurately describes what CVE-2020-1472 (Zerologon) does.
Microsoft's Security Response Center says the vulnerability could let an attacker "spoof a domain controller account", which could then be used to "steal domain credentials and take over the domain." The discoverers at Secura similarly explain that the flaw lets an attacker impersonate any computer, including the domain controller itself, and use that to set the domain controller's computer password to a known value.
That is a serious path to domain compromise, but it is not the same thing as directly allowing attackers to access all valid usernames and passwords in every breached Microsoft network. Credential theft can follow from the compromise, but the vulnerability itself is more accurately described as an authentication/privilege-escalation flaw enabling domain controller impersonation and domain takeover.
2 sources
- Attacks exploiting Netlogon vulnerability (CVE-2020-1472)
If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain.
- Zerologon
This flaw allows attackers to impersonate any computer, including the domain controller itself... By forging an authentication token... he was able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.
Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.
Public reporting on this incident did not describe an Outlook Web App software flaw. CISA and Volexity said the attackers bypassed MFA by using a previously stolen Duo integration secret key on an OWA server to forge a valid cookie.
Full reasoning
The article attributes the MFA bypass to a flaw in Microsoft's Outlook Web App (OWA), but the public technical reporting for this incident describes a different mechanism.
CISA's SolarWinds advisory says Volexity observed the attackers using a secret key they had previously stolen to generate a cookie that bypassed Duo MFA protecting access to Outlook Web App. Volexity's own incident report is more specific: the attackers accessed the Duo integration secret key (akey) from the OWA server and used it to pre-compute a valid duo-sid cookie, which let them bypass MFA after successful password authentication.
So the bypass was described as abuse of a stolen integration secret on an OWA server, not as an OWA software bug or flaw in Microsoft's product.
2 sources
- Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA
Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication (MFA) protecting access to Outlook Web App (OWA).
- Dark Halo Leverages SolarWinds Compromise to Breach Organizations | Volexity
Volexity's investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie... This allowed the attacker... to then completely bypass the MFA set on the account.