Microsoft Warns Of Ongoing Attacks Using Windows Zerologon Flaw
Microsoft today warned that threat actors are continuing to actively exploit systems unpatched against the ZeroLogon privilege escalation vulnerability in the Netlogon Remote Protocol (MS-NRPC).
“Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020,” MSRC VP of Engineering Aanchal Gupta said.
On Windows Server devices where the vulnerability was not patched, attackers can spoof a domain controller account to steal domain credentials and take over the entire domain following successful exploitation.
“We strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability,” Gupta added.
The Windows Zerologon vulnerability
Zerologon is a critical flaw that enables attackers to elevate privileges to a domain admin, thus allowing them to take full control over the entire domain, to change any user’s password, and to execute any arbitrary command.
Microsoft is rolling out the fix for Zerologon in two stages as it can cause some of the affected devices to go through vaarious authentication issues.
Because the initial documentation regarding Zerologon patching was confusing, Microsoft clarified the steps admins need to take to protect devices against attacks using Zerologon exploits on September 29.
The update plan outlined by Microsoft includes the following actions:
- UPDATE your Domain Controllers with an update released August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
Previous Zerologon exploitation activity
Microsoft issued a similar warning in September, urging IT admins at the time to apply the security updates issued as part of the August 2020 Patch Tuesday to secure their networks against attacks leveraging public ZeroLogon exploits.
One week later, Cisco Talos also warned of “a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon.”
The Iranian-backed MuddyWater hacking group (aka SeedWorm and MERCURY) also started abusing the flaw starting with the second half of September.
TA505 (aka Chimborazo), a financially-motivated threat group known for distributing the Dridex banking trojan since 2014 and for providing a deployment vector for Clop ransomware in later stages of their attacks, was also detected by Microsoft exploiting the ZeroLogon vulnerability earlier this month.
On September 18, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) demanded the Federal Civilian Executive Branch to treat the ZeroLogon patching process as “an immediate and emergency action.”