Microsoft warned on Thursday that malicious cyber actors have been exploiting the dangerous Zerologon vulnerability in Windows Server systems, which could allow an attacker to gain access to an organisation’s Active Directory domain controllers.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon,” Microsoft’s security intelligence team wrote on Twitter.
“We have observed attacks where public exploits have been incorporated into attacker playbooks. We strongly recommend customers to immediately apply security updates,” it added.
The warning from the software giant comes just days after the US Department of Homeland Security (DHS) issued an advisory last week, directing all federal agencies to “apply the Windows Server August 2020 security update to all domain controllers” by 21st September.
The advisory said that the bug poses “an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.”
The details of Zerologon bug were first revealed by researchers from the Dutch cyber security firm Secura on 14th September. Since then, multiple proof-of-concept (PoC) exploits have appeared on internet in downloadable form.
Indexed as CVE-2020-1472, Zerologon is a critical elevation of privilege bug that could allow an attacker with a foothold on the local network to instantly become a Domain Admin, and gain access to an organisation’s Active Directory domain controllers.
According to Secura, the vulnerability arises due to a flaw in the cryptographic algorithm in the Netlogon Remote Protocol (MS-NRPC), which is used to authenticate users and machines on Windows domain controllers.
- How Samuella Ofori Otchere Became The Highest Earner On Opera News Hub In GhanaArticle by: Samuella Ofori Otchere (ella4sam) If working hard pays, I would … Read More
- Create, Publish and Earn money by becoming a blogger on Opera News – Here is the Fee TermsFee terms Fee Terms In exchange for the services described above, O-Play … Read More
- Here is a quick walk-through to how to register and calculate your earnings on Opera News HubOpera News is one of the best platforms to make money online. All … Read More
- Report reveals Twitter hackers lured employees to give up VPN credentialsThe attackers that hacked Twitter in July pretended to call from Twitter’s … Read More
- Google Reveals A 2.54 Tbps DDoS Attack It Mitigated In 2017 – Largest DDos AttackThe Google Cloud team revealed today a previously undisclosed DDoS attack that targeted Google … Read More
Researchers have named the bug ‘Zerologon,’ because it allows attackers with minimal access to a vulnerable network to login to the Active Directory by sending a string of zeros in messages that use the Netlogon protocol. The vulnerability impacts most supported versions of Windows Server, from Server 2008 through Server 2019.
In August, Microsoft released a fix for Zerologon, saying the chances of vulnerability’s actual exploitation were “less likely“.
The company has now published a threat analytics report to help admins assess the vulnerability of their networks, although the report is available only to Office 365 subscribers.
“Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations and detection details designed to empower SecOps to detect and mitigate this threat,” the company said.
Last week, cyber security firm 0patch released its own “micropatch” for the bug, stating that not all systems were compatible with Microsoft’s fix.
0patch said that its micropatch was logically identical to Microsoft’s fix and “primarily targeted at Windows Server 2008 R2 users without Extended Security Updates“.
Samba, a file-sharing utility that enables Windows, Linux and Mac to communicate with one another, has also released its own Zerologon patch.
The Samba utility uses the Netlogon protocol, and therefore it also suffers from the vulnerability.