Microsoft warns that Windows Server ‘ZeroLogon’ vulnerability is being exploited in the wild

An exploit in Microsoft Corp.’s Windows Server is being actively exploited in the wild despite a patch for the critical vulnerability being issued last month.

Nicknamed “ZeroLogon” by cybersecurity professionals and “Netlogon EoP” by Microsoft, the vulnerability, patched in Microsoft’s August Patch Tuesday security update, is rated a critical vulnerability score of 10, the highest rating. possible on the CVE scale. The vulnerability, known as “elevation of privilege,” allows an attacker to gain a connection to a vulnerable domain controller using the remote Netlogon protocol and gain domain administrator rights.

Although it was patched in August, cybersecurity company Secura was the first to analyze how the vulnerability works earlier this month. In his words, it is an “interesting vulnerability that would allow an attacker with a foothold on his internal network to essentially become a Domain Administrator with one click,” and that “all that is required is that a connection to the domain controller be the attacker’s point of view. “

0-Domain Admin in 10 seconds with Zerologon (CVE-2020-1472)

Using @_dirkjan ‘s NetrServerPasswordSet2 commits to impacket 😀🥳 pic.twitter.com/PELfKJCQLV

– Rich Warren (@buffaloverflow) September 14, 2020

Security vulnerabilities are a penny a dozen, but where this one becomes more interesting is that Microsoft itself warns against its exploitation in the wild. The warning initially came from Microsoft’s security intelligence team on Twitter.

Microsoft is actively tracking the activity of threat actors using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, called Zerologon. We have seen attacks where public exploits have been incorporated into the attackers’ playbooks.

– Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

The simple solution to combat the Zerologon vulnerability is to install the August 2020 patch, but the problem is that many Windows Server users are still not actively updating their installations.

“Even though CISA issued a directive to apply the patch that Microsoft released on August 11, we can see that patch management is not as simple as flipping a switch,” Terence Jackson, the firm’s chief information security officer. privileged access management company Thycotic Software Ltd. told SiliconANGLE. “Due to the nature of this vulnerability, attackers will continue to search for vulnerable companies and attempt to exploit. If an attacker gets a domain manager on a network, it’s essentially game over. Businesses and agencies should identify their vulnerable servers and patch them as soon as possible. “

Vulnerabilities like ZeroLogon provide a sobering reminder of the weaknesses of cybersecurity tools that rely too heavily on firms, said Brian Davis, director of federal security solutions at artificial intelligence threat detection company Vectra AI Inc. “They offer a certain level of security. of protection against this exploit, although after the fact, even too late for some, ”he said. “Many federal agencies are unwilling to continue relying on this all-too-familiar cadence, starting with security researchers finding previously unknown vulnerabilities, reacting with a new signature, only for the exploits to change slightly and bypass these same protections.”

Scott Caveza, manager of research engineering at cyber exposition firm Tenable Inc., links Secura’s post with exploits now in-the-wild.

“Shortly after the Secura blog post, detailing the impact and technical information about ZeroLogon, was released, multiple proof-of-concept scripts emerged,” explains Caveza. “In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand on the previous code to add more sophisticated and automated attack scenarios. We anticipated attackers would seize the opportunity and start exploiting the flaw very quickly, which we are now seeing how to resolve. “

Image: Microsoft