Windows Server 2008 R2 Exploit
Vikki Nagindas
Microsoft released a patch on June 8 considering this vulnerability low in severity. On June 21, PrintNightmare was updated to critical severity as the potential for remote code execution was uncovered. The June 8 Microsoft patch did not successfully resolve the issue for CVE-2021-32547 PrintNightmare, but it did resolve CVE-2021-1675.
UPDATE July 08 @ 10:18am ET: There have been requests for the technical information on the machine we had tested the patch on. On a Windows 10 21H1 Enterprise VM, it had stopped the Mimikatz implementation of local privilege escalation.
Note: This is still breaking news and an emerging threat. Huntress will continue to update this blog with our observations and any indicators of compromise following post-exploitation activity if discovered.
This is a severe security flaw that affects an incredibly large number of Windows servers. Multiple proof-of-concept exploits have been released (Python, C++) and we've confirmed this vulnerability is trivial to exploit.
We advise you to monitor log entries in Microsoft-Windows-PrintService/Admin to find potential evidence of exploitation. Entries with error messages failing to load plug-in module DLLs could be an indicator, but if a threat actor packaged a legitimate DLL that Print Spooler would demand, this error is not logged.
UPDATE June 29 5:28pm ET: Organizations may not have logging for Print Service operations enabled and may have difficulty enabling them site-wide. If you cannot readily enable that logging, another option is to look for the use of ImageLoad (Event ID 7) with the `spoolsv.exe` process. Researchers have shared Sigma rules to help detect this.
UPDATE June 29 @ 9:01pm ET: Disabling the Print Spooler service and stopping printing altogether is certainly impractical for some businesses. While it is one option for a subpar band-aid fix, another option without disabling the service is restricting the access controls (ACLs) in the directory that the exploit uses to drop malicious DLLs. This method was brought to light by the team at TrueSec, and we, alongside the community, offer kudos and props for their efforts.
Changing the ACLs prevents rogue DLLs from being placed by the targeted print spooler service and still maintains the service functionality. Note: You will not be able to install/uninstall/make changes to your printer drivers while this ACL is in place, and some Citrix users have reported printing issues with this method.
We've completed our first review and all 34,000+ networks are looking clean so far. We will continue to share if we see post-exploitation activity. We're also keeping a close eye on the ability to craft directory traversing payload paths outside of the previously listed folders (doesn't appear to bypass the ACL technique or Olaf Hartung's Defender for Endpoints KQL)
Other security researchers, including Mimikatz author Benjamin Delpy, are observing funky vulnerability behavior (some fully patched servers are not vulnerable until promoted to a domain controller). We're also noticing that sometimes repeated successful exploitation attempts don't always get logged within Microsoft-Windows-PrintService/Admin. (Possible caching?)
For those technical folks who want to follow along, our team is diving into the exploit's behaviors to help us determine if any Huntress partners have been compromised. Here's a filtered view of spoolsv.exe in ProcMon.
Enabling the Microsoft-Windows-PrintService/Operational event log (disabled by default) and monitoring for event ID 316 yields solid detection results in our lab testing regardless of whether the exploit is successful. Fellow security researcher Jake Williams has seen the same success and recommended the following PowerShell snippet:
The information security community stands on the shoulders of giants. That means the whole industry plays in concert to share knowledge, resources and understanding. Huntress has no intention of being your sole provider as there is a whole world of actionable information.
"This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack."
"This vulnerability is incredibly simple, but that's also what makes it interesting," Tsai said. "Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature?"
Attack surface management company Censys said it identified about 458,800 exposures of potentially vulnerable PHP instances as of June 9, 2024, most of which are located in the U.S. and Germany. But it also noted that the number is likely an "overestimate of the true impact of this vulnerability," given it cannot detect when CGI mode is enabled.
The development comes as Imperva warned of TellYouThePass ransomware actors actively exploiting the PHP flaw to deliver a .NET variant of the file-encrypting malware by means of an HTML Application ("dd3.hta") payload.
"The initial infection is performed with the use of an HTA file (dd3.hta), which contains a malicious VBScript," the company noted. "The VBScript contains a long base64 encoded string, which when decoded reveals bytes of a binary, which are loaded into memory during runtime."
Windows security updates should always be taken seriously, of that there is no doubt. But when the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive for a perfect 10, critical, Windows Server vulnerability, the urgency meter goes off the scale.
This is a vulnerability that could enable an attacker with network access to gain admin status by sending a string of zeros using the Windows Netlogon protocol. A vulnerability that, CISA said, must be assumed as being actively exploited in the wild.
CISA doesn't issue emergency directives unless there's a serious cause for concern. The last time I reported on such a rare directive was back in July when government agencies were given just 24 hours to update, you guessed it, Windows Server.
CVE-2020-1472 is about as serious as it gets, hence the maximum 10 Common Vulnerability Scoring System (CVSS) rating and the critical severity that Microsoft has attached to it. The vulnerability itself opens the doors for an attacker already inside the network to access the Windows Server Active Directory domain controller.
This post-compromise exploit has been named Zerologon because it requires messages including strategically-placed strings of zeros to be sent using the Netlogon protocol. As long as the attacker can establish a connection with the domain controller on an unpatched system, no authentication is required to elevate privileges to the max and become an 'instant admin.'
Emergency directive 20-04 requires federal agencies to comply with the "immediate and emergency action" that CISA has determined necessary to mitigate the "unacceptable risk" that the Zerologon exploit poses. That action being to "immediately apply the Windows Server August 2020 security update to all domain controllers," and do so before September 22.
While this directive applies to executive branch departments and agencies, the CISA also "strongly recommends" that not only should local and state governments patch this critical vulnerability as a matter of urgency, but also the private sector.
"CVE-2020-1472 is probably going to get weaponized pretty quickly," Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax, says. "If history is any judge, my money is on APT Fox Kitten, also known as Parasite, who since the summer of 2019 have managed within a window of a few weeks to start campaigns using targeted exploits," he warns.
"Windows Server Zerologon is more of a lateral movement exploit than a front door or internet-facing vulnerability," Thornton-Trump says, "so although APT groups will look at this as a great way to get onto servers, where all the cool data is, I can see it being devastating in the hands of cybercriminals."
With many cybercrime and ransomware groups using toolsets like Mimikatz to grab admin privileges, security systems will see such activity and block it. "This vulnerability appears not to require a tool," Thornton-Trump says, "so it may make the job of stealing and ransoming all your things on the server even quicker." Like the Department of Homeland Security, Thornton-Trump advises that "whatever your threat model, be it APT, cyber-criminal or both, this is a good thing to fix ASAP."
Are you 100% sure RDP is being restricted by IP at the firewall? My first impression would be that login attempts are being made to your server via RDP. You really need to check which ports are open and publicly accessible.
Use wail2ban. It's like fail2ban but for windows here is the link for the project. But it seems like the development has stopped for it. If I find any better alternatives to fail2ban, I will update my answer. In the meantime, definitely try wail2ban. It will temporarily block IP Addresses of failed login attempts after 5 failed attempts for 10 mins (the conditions, bantime etc can be changed). Don't forget to whitelist your own IP because by mistake if you enter your password wrong 5 times, you will get yourself banned for 10 mins (Default bantime set in wail2ban)
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
I've just used to scan a website we host on Win 2008 IIS7 - SSL is being terminated on the windows server directly (no load balancing device with SSL offloading in between) - it's being reported as vulnerable. Similar tests of websites hosted on Win 2012 with IIS8 don't have the same result (does not show as vulnerable).
c80f0f1006