Don’t be the organisation that made the headlines because it failed to patch. Microsoft says it is seeing cyber attacks ramping up around the Zerologon CVE-2020-1472 bug
Published: 24 Sep 2020 10:40
Microsoft has confirmed that real-world cyber criminal activity is coalescing around the highly dangerous Zerologon vulnerability and warned users who have not yet patched it to do so as a matter of extreme urgency.
Described as a “near perfect” exploit, Zerologon, or CVE-2020-1472 to give it its official designation, is an elevation-of-privilege vulnerability through which a connection to a vulnerable domain controller using the Netlogon Remote Protocol (NRP) can obtain domain admin rights.
According to a whitepaper published by Secura, the only thing a malicious actor needs to take advantage of it is the ability to set up a TCP connection with a vulnerable domain controller – which means they need to have a foothold on the network but don’t need domain credentials.
CVE-2020-1472 was first revealed in August’s Patch Tuesday, and was highlighted then as one to watch by Gill Langston, head security nerd at Solarwinds MSP, who told Computer Weekly at the time that it was worth taking the time to read and review its implications.
In a series of statements posted to Twitter early on 24 September, Microsoft’s Security Intelligence unit said: “Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
“Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations and detection details designed to empower SecOps to detect and mitigate this threat.”
Microsoft added: “We’ll continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat and vulnerability management data to see patching status.”
Such is the severity of the Zerologon vulnerability that it prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive last week, legally requiring federal agencies to patch their systems immediately.
The CISA said it had determined that Zerologon posed an “unacceptable risk “ and required “immediate and emergency action”. It imposed a deadline of 11.59pm local time on Monday 21 September to do so.
Satnam Narang, staff research engineer at Tenable, described Zerologon as a “game over” situation for any organisation unlucky or foolhardy enough to fall victim to it, and urged prompt attention.
“The impact of the flaw is limited to an attacker who has already gained a foothold inside an organisation’s network, but despite this limitation, an attacker could leverage any number of existing unpatched vulnerabilities to breach their target network before pivoting to compromise the vulnerable domain controller,” said Narang. He added that Zerologon could also be a “compelling addition” to ransomware gangs’ toolkits.
“We strongly encourage organisations to apply the patches provided by Microsoft immediately,” he said. “If your domain controllers are running unsupported versions that are no longer receiving security updates from Microsoft, it is imperative to upgrade those as soon as possible.”
Content Continues Below
Read more on Hackers and cybercrime prevention
Microsoft detects Netlogon vulnerability exploitation in the wild
By: Arielle Waldman
Microsoft plugs 2 zero-days on August Patch Tuesday
By: Tom Walat
‘SigRed’ alert: Experts urge action on Windows DNS vulnerability
By: Alexander Culafi
DNS Server vulnerability tops July Patch Tuesday concerns
By: Tom Walat