Zerologon Windows Server Flaw Used in Active Attacks
Microsoft has warned that a critical vulnerability it patched in August is now being actively exploited in the wild, enabling attackers to remotely control a target organization’s Windows domain.
Also known as “Zerologon,” CVE-2020-1472 is a critical elevation of privilege bug affecting Windows 2008 and more recent versions. It exists when an attacker uses the Netlogon Remote Protocol to establish a vulnerable secure channel connection to a domain controller, according to Microsoft.
According to the US Cybersecurity and Infrastructure Security Agency (CISA) it could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services — and with them the entire network.
In a sign of the criticality of the bug, CISA issued an emergency directive a week ago ordering all federal civilian agencies to patch the flaw by end-of-play last Monday. It poses an “unacceptable risk” to government IT systems, it said in the alert.
Although at the time, only proof-of-concept exploits were circulating, the vulnerability is now being actively used in attacks, Microsoft warned yesterday.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” it tweeted.
“We will continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat and vulnerability management data to see patching status.”
Although many organizations may have delayed patching due to concerns over disruption to legacy apps, Axonius CEO, Dean Sysman, argued that many may not even know they’re running exposed systems.
“Despite having many tools that provide data on assets and networks, these solutions and the data they provide are often siloed, outdated and lack actionable context,” he added.
“Security teams find it nearly impossible to maintain a comprehensive asset inventory and know whether those assets are properly secured. Without this visibility, organizations are at risk — even in the case of known vulnerabilities.”
Scott Caveza, Tenable research engineering manager, urged system administrators to take immediate action.
“Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we’re seeing attacks in the wild,” he said.
“Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns.”