Here's how Axonius customers are able to identify devices related to two recent security events: a critical vulnerability CVE-2020-1472, and devices that fall under Section 889 of the National Defense Authorization Act (NDAA).
Cybersecurity teams often need to determine how a recently announced vulnerability, regulation, or some other security event affects their enterprise. Do we have any systems vulnerable to the exploit that recently appeared? Are we in compliance with a new regulation that imposes restrictions on certain types of devices? Axonius customers can use our powerful query language to answer such questions within minutes, and make sure that the answers are accurate and up-to-date. Here, we’ll show how Axonius customers can identify these devices using queries.
What is CVE-2020-1472?
Published by Microsoft on August 11, CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability or MITRE CVE-2020-1472 is a Windows vulnerability described as:
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Or, as ArsTechnica explains:
It can sometimes take weeks or months to escalate low-level privileges to those needed to install malware or execute commands. Enter Zerologon, an exploit developed by researchers from security firm Secura. It allows attackers to instantly gain control of the Active Directory. From there, they will have free rein to do just about anything they want, from adding new computers to the network to infecting each one with malware of their choice.
Finding Devices with CVE-2020-1472
Axonius customers can use the following query to identify devices with CVE-2020-1472:
(specific_data.data.software_cves.cve_id == "CVE-2020-1472")
This query will identify any device with the vulnerability.
What is the National Defense Authorization Act (NDAA) Section 889?
The National Defense Authorization Act sets forth policies for Department of Defense (DOD) programs and activities, and specifically, Section 889 creates a general prohibition on telecommunications or video surveillance equipment or services produced or provided by the following companies (and associated subsidiaries or affiliates):
- Huawei Technologies Company; or
- ZTE Corporation
It also prohibits equipment or services used specifically for national security purposes, such as public safety or security of government facilities, provided by the following companies (and associated subsidiaries or affiliates):
- Hytera Communications Corporation;
- Hangzhou Hikvision Digital Technology Company; or
- Dahua Technology Company
Finding Devices Prohibited by Section 889
Axonius customers are able to use the following queries to find devices from manufacturers specified in NDAA Section 889:
(specific_data.data.network_interfaces.manufacturer == regex("Huawei", "i"))
or (specific_data.data.network_interfaces.manufacturer == regex("ZTE", "i"))
or (specific_data.data.network_interfaces.manufacturer == regex("Hytera", "i"))
or (specific_data.data.network_interfaces.manufacturer == regex("Hangzhou", "i"))
or (specific_data.data.network_interfaces.manufacturer == regex("Dahua", "i"))
This query will identify those devices manufactured by companies produced or provided by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of those entities) and certain video surveillance products or telecommunications equipment and services produced or provided by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of those entities).
The following is a dashboard chart that shows the count of devices by these manufacturers:
These are just two quick examples of how our customers are using the Axonius Asset Management Platform to answer urgent questions about their environment. The questions go beyond the traditional concept of mere “asset management” and make it possible to confirm that the state of the organization’s IT infrastructure is consistent with the company’s expectations. It also allows the enterprise to quickly identify security gaps.