Windows Server ‘Zerologon’ exploit now being actively used by attackers, Microsoft warns
Light Rocket via Getty Images
Just days ago, the US Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive asking all federal agencies to apply a Windows security update Server before midnight on Monday, September 21. This directive spoke of the need to take immediate and urgent action to mitigate the risk of a critical Windows Server exploit called Zerologon.
The exploit, which allows an attacker to become an instant administrator, is so severe that it has earned a perfect rating of 10 on the Common Vulnerability Scoring System (CVSS) and Microsoft itself has determined it to be severe. critical. CISA also urged local and state governments, as well as private sector organizations, to urgently patch their Windows Server domain controllers. Now, the Microsoft Security Intelligence Team, a global network of security experts, has confirmed that Zerologon attacks are underway in the wild.
Microsoft Security Intelligence tweeted that it was “actively tracking” Zerologon attack activity by threat actors exploiting CVE-2020-1472. This follows several examples of proof-of-concept exploit code released into the public domain, resulting in the CISA directive. “We have observed attacks where public exploits have been incorporated into attacker manuals,” the Microsoft team warned. Microsoft joins CISA in strongly recommending that security updates be applied immediately. Windows Server administrators can refer to a Microsoft support document on managing changes to Netlogon secure channel connections.
While there are some mitigating factors when it comes to a successful Zerologon attack, including that it is a post-compromise exploit requiring a threat actor to already have a foothold in the network, the The severity of the patch failure cannot be overstated. This attacker within the network can send specially crafted Netlogon protocol messages with strings of zeros, hence the name, and elevate privileges to become an administrator without authentication.
Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax, called this one when he told me on September 19 that “CVE-2020-1472 is probably going to be weaponized pretty quickly.” He also warned that the exploit could be “devastating in the hands of cybercriminals”.
“Cryptographic errors are hard, if ever, to notice, but these errors highlight the massive impact threat actors can have when they have enough time to exploit them,” said Jake Moore, security analyst. cybersecurity at ESET. He echoes everyone else’s advice that patching early is vital, especially now that we know the attackers have working exploit code. “The August 2020 patch is enough to thwart the attack,” Moore concludes, “but it acts as another reminder that a good patch will save you from the tsunami of constant attacks.”
A Microsoft spokesperson confirmed regarding the Zerologon exploit that “a security update was released in August 2020. Customers who apply the update or have automatic updates enabled will be protected “.
Comments are closed.