Cyber actors are attempting to exploit Windows Zerologon and Oracle security flaws, researchers warn

The vulnerabilities have already been addressed but many systems remain unpatched

Microsoft on Thursday warned of continued activity from malicious cyber actors that are seeking to exploit the Zerologon security vulnerability in efforts to steal sensitive information from unpatched systems.

In a blog post, Aanchal Gupta, VP engineering, MSRC, revealed that the company has received multiple reports from customers about hackers who have been attempting to steal domain credentials and take over the domain by attacking Zerologon bug.

"If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain," Aanchal Gupta said.

"Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability," she added.

Zerologon, indexed as CVE-2020-1472, is an elevation-of-privilege bug in the Windows Netlogon Remote Protocol (MS-NRPC), which is used to authenticate users against domain controllers. The vulnerability arises due to an error in the cryptographic algorithm used in the Netlogon authentication process. After successfully exploiting the flaw, an attacker can impersonate any computer and run remote procedure calls on their behalf.

Microsoft addressed the vulnerability with security updates released in August.

To prevent attacks from miscreants, the company advises users to take the following steps:

• Update their Domain Controllers with a security update released on 11 August 2020 or later
• Monitor event logs to find out which machines are making vulnerable connections
• Address non-compliant devices that are making vulnerable connections
• Activate enforcement mode to address Zerologon flaw in their environment

The advisory from Microsoft about the Zerologon bug comes at the time when security experts are also warning organisations about Oracle WebLogic servers vulnerable to a critical bug that could allow taking control of the system with no authentication.

The flaw, indexed as CVE-2020-14882, has a severity score of 9.8 out of 10 on the CVSS scale.

Oracle addressed the flaw in its Critical Patch Update (CPU) released earlier this month, crediting security researcher Voidfyoo of Chaitin Security Research Lab for discovering the flaw and reporting it to the company.

According to Oracle, the attack requires no user interaction and no privileges, and it can be exploited by attackers with network access via HTTP.

The bug impacts Oracle WebLogic Server versions 14.1.1.0, 12.2.1.4.0, 12.2.1.3.0, 12.1.3.0.0, and 10.3.6.0.0.

In a blog post, Johannes B. Ullrich, the Dean of Research at SANS Technology Institute said that they have been observing "active exploitation of the vulnerability" against their honeypot since publishing of PoC exploits.

"At this point, we are seeing the scans slow down a bit," Ullrich said.

"But they have reached 'saturation' meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network, assume it has been compromised."

Oracle WebLogic Server is an application server used by a number of organisations to deploy enterprise Java EE applications.

Last year in May, security researchers warned that hackers were exploiting a zero-day vulnerability in Oracle WebLogic to install Sodinokibi ransomware on servers. The flaw, indexed as CNVD-C-2019-48814 affected all versions of WebLogic, and enabled hackers to hijack servers, conduct remote execution and send arbitrary commands.