Just days ago, the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive instructing all federal agencies to apply a Windows Server security update before midnight on Monday, September 21. That directive spoke of the need to take immediate and emergency action in order to mitigate the risk of a critical Windows Server exploit called Zerologon.
The exploit, which enables an attacker to become an instant administrator, is so serious it rated a perfect 10 on the Common Vulnerability Scoring System (CVSS) and Microsoft itself determined it to be of critical severity. CISA also urged local and state governments, along with organizations in the private sector, to patch their Windows Server domain controllers as a matter of urgency. Now the Microsoft Security Intelligence team, a global network of security experts, has confirmed that Zerologon attacks are underway in the wild.
Microsoft Security Intelligence has tweeted that it is “actively tracking” Zerologon attack activity by threat actors exploiting CVE-2020-1472. This follows multiple examples of proof of concept exploit code being released into the public domain, which prompted the CISA directive. “We have observed attacks where public exploits have been incorporated into attacker playbooks,” the Microsoft team warned. Microsoft joins CISA in strongly recommending that security updates are applied immediately. Windows Server admins can refer to a Microsoft support document on managing the changes in Netlogon secure channel connections.
Although there are some mitigating factors when it comes to a successful Zerologon attack, not least that this is a post-compromise exploit requiring a threat actor to already have a foothold on the network, the seriousness of failing to patch cannot be overstated. That attacker within the network can send specially crafted Netlogon protocol messages with strings of zeros, hence the name, and elevate privileges to become an admin without authentication.
Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax, called this one when he told me on September 19 that “CVE-2020-1472 is probably going to get weaponized pretty quickly.” He also warned that the exploit could be “devastating in the hands of cybercriminals.”
“Cryptographic mistakes are difficult to notice, if ever, yet these blunders highlight the sheer impact threat actors can have when given enough time to exploit,” Jake Moore, a cybersecurity specialist at ESET, says. He echoes the advice of everyone else in that patching early is vital, especially now that we know attackers have working exploit code. “The August 2020 patch is enough to thwart the attack,” Moore concludes, “but it acts as yet another reminder that good patching will save you from the tsunami of constant attacks.”
A Microsoft spokesperson confirmed, concerning the Zerologon exploit, that “a security update was released in August 2020. Customers who apply the update, or have automatic updates enabled, will be protected.”