Attackers are actively exploiting Zerologon Windows vulnerability, Microsoft warns

Microsoft warned on Thursday that malicious cyber actors have been exploiting the dangerous Zerologon vulnerability in Windows Server systems, which could allow an attacker to gain access to an organisation's Active Directory domain controllers.

"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon," Microsoft's security intelligence team wrote on Twitter.

"We have observed attacks where public exploits have been incorporated into attacker playbooks. We strongly recommend customers to immediately apply security updates," it added.

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.

— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

The warning from the software giant comes just days after the US Department of Homeland Security (DHS) issued an advisory last week, directing all federal agencies to "apply the Windows Server August 2020 security update to all domain controllers" by 21st September.

The advisory said that the bug poses "an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action."

The details of Zerologon bug were first revealed by researchers from the Dutch cyber security firm Secura on 14^th September. Since then, multiple proof-of-concept (PoC) exploits have appeared on internet in downloadable form.

Indexed as CVE-2020-1472, Zerologon is a critical elevation of privilege bug that could allow an attacker with a foothold on the local network to instantly become a Domain Admin, and gain access to an organisation's Active Directory domain controllers.

According to Secura, the vulnerability arises due to a flaw in the cryptographic algorithm in the Netlogon Remote Protocol (MS-NRPC), which is used to authenticate users and machines on Windows domain controllers.

Researchers have named the bug 'Zerologon,' because it allows attackers with minimal access to a vulnerable network to login to the Active Directory by sending a string of zeros in messages that use the Netlogon protocol. The vulnerability impacts most supported versions of Windows Server, from Server 2008 through Server 2019.

In August, Microsoft released a fix for Zerologon, saying the chances of vulnerability's actual exploitation were "less likely".

The company has now published a threat analytics report to help admins assess the vulnerability of their networks, although the report is available only to Office 365 subscribers.

"Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations and detection details designed to empower SecOps to detect and mitigate this threat," the company said.

Last week, cyber security firm 0patch released its own "micropatch" for the bug, stating that not all systems were compatible with Microsoft's fix.

0patch said that its micropatch was logically identical to Microsoft's fix and "primarily targeted at Windows Server 2008 R2 users without Extended Security Updates".

Samba, a file-sharing utility that enables Windows, Linux and Mac to communicate with one another, has also released its own Zerologon patch.

The Samba utility uses the Netlogon protocol, and therefore it also suffers from the vulnerability.

• Tweet  
• Facebook  
• LinkedIn  
• Send to  

• Topics
• Threats and Risks
• Microsoft
• Windows Server
• CVE-2020-1472
• Netlogon
• Zerologon
• DHS