One of the hardest-hit Windows vulnerabilities that were fixed this year is currently being actively exploited by malicious hackers, Microsoft warned overnight. This development is putting the latecomers under increasing pressure to update it now.
With CVE-2020-1472, while tracking the vulnerability, hackers can immediately take control of Active Directory, a Windows server resource that acts as a powerful gatekeeper for all computers connected to a network. Researchers named the vulnerability zerologon because an attacker with minimal access to a vulnerable network could log into Active Directory by sending a string of zeros in messages that use the Netlogon protocol.
Zerologon has a critical severity level from Microsoft and a maximum of 10 within the framework of the Common Vulnerability Scoring System. Despite its high rating, the privilege escalation vulnerability received little attention when Microsoft fixed it in August, and Microsoft deemed the chances of actual exploitation "less likely".
The security world finally took notice last week with the release of several proof-of-concept exploits and a detailed description that demonstrated the severity of the vulnerability and the relatively easy exploitation of the vulnerability.
All hands on deck
On Wednesday evening, Microsoft published a series of tweets that Zerologon is now exploiting in the wild.
"Microsoft is actively tracking the activities of threat actors through exploits for the Netlogon EoP vulnerability CVE-2020-1472, known as Zerologon," Microsoft representatives write. "We have seen attacks that include public exploits in attacker playbooks."
Microsoft 365 customers can refer to the threat assessment report that we published on the Microsoft Defender Security Center. The threat analysis report contains technical details, mitigation and detection details with which SecOps can identify and mitigate this threat.
– Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
The company provided several digital signatures of the files used in the attacks, but did not publicly disclose any additional details. Microsoft has released a threat assessment report that administrators can use to assess the vulnerability of their networks. However, it is only available to Office 365 subscribers. For everyone else, the best resource is this whitepaper from Secura, the security company that discovered Zerologon. Microsoft representatives did not respond to an email asking for a copy of the analytical report.
It's hard to overestimate the severity of an exploit that allows you to take control of an Active Directory using tens of lines of code. Active directories (and the domain controller servers they run on) are the resources that ransomware attackers value most. With control over the central deployment directory, they can infect entire fleets of machines within minutes. Nation-sponsored hackers who conduct espionage campaigns with surgical precision also appreciate this access, as it allows them to control certain network resources of interest.
Both types of attackers often start hacking by compromising a low-privilege computer on a network, by tricking an employee into clicking a malicious link or file, or by entering a password on a phishing page . It can sometimes take weeks or months for low-level permissions to be extended to those necessary to install malware or execute commands. In certain cases, Zerologon could allow an attacker with this type of budget to take control of the Active Directory almost immediately.
There may also be ways to use Zerologon directly from the Internet without prior access. Internet searches like this and this show that more than 33,000 and 3 million networks expose domain controllers and remote procedure call logon servers to the public Internet. If a single network makes both resources available, the combination can leave a network wide open with no further requirements.
Enlarge /. Domain controllers exposed to the Internet.
Enlarge /. Remote procedure call exposed to the Internet.
Zerologon's risk isn't just about facing a catastrophic hack. There is also the risk of applying a patch that destroys the most sensitive resource on a network. Late last week, the Department of Homeland Security's cybersecurity agency tasked the authorities with either applying the patch by Monday evening or removing domain controllers from the Internet.
Less than three days later, it was revealed that exploits were taking place in the wild. It is clear that there was a good reason for the directive.