Robin’s Newsletter #118

20 September 2020. Volume 3, Issue 38
Domain admin for EVERYONE! APT41/Winnti charged for cyber-espionage and activities against computer games companies. First death leading directly from cyber-attack :-(
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

ZeroLogon: Domain admin for everyone!

If you’re reading this with your cuppa on Monday morning and are responsible for your companies IT or Security: stop reading this right now and check you’ve applied the Windows Server updates from August.  

Despite CVE-2020-1472 scoring a ‘perfect 10.0’ on the CVSS scale it got little reporting at release.

Now, new details of ZeroLogon (as it is dubbed by researchers at Secura that discovered it) have been published. The vulnerability means anyone with network access to a Windows Server domain controller can gain full domain admin access ‘within three seconds’.

A flaw in the crypto used by the Netlogon Remote Protocol allows a modified authentication token to be sent that sets the computer password of the Domain Controller to a known value. From there the attacker can take control of the domain controller and steal domain admin credentials.

The AES-CFB8 encryption routine uses a feedback loop to generate a key. Due to a weakness in the logon function used to authenticate devices one in 256 attempts the session key will be a string of all zeroes and will match a ‘ClientCredential’ value that can be manually set to all zeroes as well. Hence the name behind the vulnerability.

Those repeated attempts will hopefully make exploitation attempts easier for security operations teams to detect.

The vulnerability requires access to the domain controller that is presumably (hopefully!) on an internal network. Given it is so trivial to gain domain admin means it will likely become a favourite for attackers. It is worth remembering that network connections in the physical world may be in public areas of company premises, such as reception and computers used by those staff.
 Full remediation of the issue is not expected until Q1 2021 due to its complexity, but the August fix should be applied immediately to prevent immediate issues.
 Multiple proofs-of-concept are doing the rounds and organisations like the US Cybersecurity and Infrastructure Agency (CISA) expect it to be actively exploited in short order.,,,

Interesting stats

250% increase in attacks on cloud servers in the last year - that shouldn’t come as a surprise given we are using ‘more cloud’ than before - however… 95% of attacks were used to mine crypto-currency, according to analysis of ~16K attacks against Docker honeypots by Aqua Security

Other newsy bits

APT41 / Winnti individuals named in DOJ charges

Five Chinese men have been charged by the US Department of Justice for their roles as part of the APT41 / Barium / Winnti threat group. The charges alleged the group, who operate behind a front company Chengdu 404, are contracted by the Ministry of State Security to conduct cyber operations.

During these operations the group carried many attacks targeting supply chains, hijacking the updates to Asus laptops and the CCleaner antivirus software. They stole cryptographic material used to digitally sign code so they could mask their code and make it seem legitimate.

That helps to explain the somewhat schizophrenic tendencies of the group. As well as cyber-espionage campaigns targeting hundreds of companies, the group engaged in for-profit hacking of computer games companies. The latter activities involved manipulate in-game currencies and generating items to sell on game marketplaces via two Malaysian accomplices.

The Malaysian men have been arrested, and the US is seeking extradition, while the five Chinese nationals have been charged in absentia, as part of growing efforts by the US to ‘name and shame’ those associated with Chinese state-backed hacking.,

German prosecutors open case following hospital ransomware attack

German prosecutors have opened a case against persons unknown for ransomware attack against a hospital that resulted in a woman dying because they were unable to admit her. It’s believed to be the first time a direct link between a fatality and cyber-attack can be drawn.,

Experian data on South African residents appears on the dark web

In August details emerged (vol. 3, iss. 34) that Experian handed over details of 24M South African’s in what they described as a ‘fraudulent data enquiry’. Now the state-issued ID numbers, mobile phone numbers, home addresses, banking and work details and email addresses of 56% of South Africa’s population is circulating on the dark web, despite a ‘seize and destroy’ court order being obtained by Experian for the data

In brief

Attacks, incidents & breaches

  • Public Health Wales accidentally published the initials, location, gender and date of birth information about 18,000 Welsh residents that had tested positive for COVID-19. The data was taken down within 20 hours and has since ‘segregated internal and external dashboards’

Threat intel

  • Automated attacks against the end-of-life Magento version 1.x e-commerce software implanted MageCart card-skimming malware on over 2,000 sites last weekend - be cautious making purchases from smaller online stores How-to style videos are also being sold on cybercriminal forums for $5,000
  • CISA has issued an advisory warning of attacks from groups affiliated with the Chinese state against F5, Citrix and Pulse Secure devices and Microsoft Exchange, all of which have had major vulnerabilities disclosed in the last 12 months
  • A phishing scam in the UK is asking for £65 to postponed jury duty, also harvests personal information @GossiTheDog
  • Sloppy coding within software supply chain to blame for backdoor and root telnet access in video encoders, say Huawei
  • Maze ransomware now performs encryption operations inside a virtual machine in bid to evade detection
  • Code for the Cerberus Android malware has been released, includes capabilities to steal one-time password SMS messages

Security engineering

  • NCSC has released a toolkit to help organisations establish a Vulnerability Disclosure Programme and engage with those who may report security vulnerabilities
  • The unauthorised access of George Floyd’s medical records is a reminder of why audit controls, such as access logs, are needed where many people have access to information. Both to discourage ‘peaking’ and to monitor for unusual activity
  • Microsoft has open-sourced its Project OneFuzz fuzzing tools to help developers find security issues


  • A £2.5B claim is being made against YouTube and Google in the UK for tracking kids’ viewing habits. It’s a re-run of a similar case under the US’ COPPA law last year that led to a $170M settlement with the Federal Trade Commission (vol. 2, iss. 36)

Public policy

  • UK defence secretary Ben Wallace announced an intent to move away from traditional hardware and platforms, such as aircraft carriers, in favour of cyber and drone capabilities

Mergers, acquisitions and investments

  • JupiterOne raises $19M Series A funding to automate asset management

And finally

Finding the former Australian PMs mobile number from his boarding pass

There’s lots of personal information hidden in the barcodes of boarding passes. You shouldn’t go posting pictures of them on social media, not least because your booking reference and surname are all that usually required to view and modify your booking with your airline. This humorous write-up delves a little deeper into what you can find out about someone from a picture posted by the former Australian Prime Minister, Tony Abbott.


  Robin's Newsletter - Volume 3

  Windows Server CVE-2020-1472 / ZeroLogon NetLogon APT41 / Winnti Ransomware Experian