Just days ago, the US Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive asking all federal agencies to apply a Windows Server security update by midnight. Monday September 21. This directive spoke of the need to take immediate and urgent action to mitigate the risk of a critical Windows Server exploit called Zerologon.
The exploit, which allows an attacker to become an instant administrator, is so severe that he received a perfect score of 10 on the Common Vulnerability Scoring System (CVSS) and Microsoft itself determined that it was critically serious. CISA also urged local and state governments, as well as private sector organizations, to patch their Windows Server domain controllers urgently. Now, the team at Microsoft Security Intelligence, a global network of security experts, has confirmed that Zerologon attacks are ongoing in the wild.
Microsoft Security Intelligence tweeted that it “actively follows” the attack activity of Zerologon by threat actors exploiting CVE-2020-1472. This follows multiple examples of proof of concept exploit code released in the public domain, which prompted the CISA directive. “We have seen attacks where public exploits have been incorporated into attackers’ playbooks,” the Microsoft team warned. Microsoft joins CISA in strongly recommending that security updates be applied immediately. Windows Server administrators can view a Microsoft support document on Managing Changes to Netlogon Secure Channel Connections.
While there are some mitigating factors when it comes to a successful Zerologon attack, including that it is a post-compromise exploit requiring a threat actor to already have a foothold in the network, the The severity of the fix failure cannot be overstated. This attacker within the network can send specially crafted Netlogon protocol messages with strings of zeros, hence the name, and elevate privileges to become an administrator without authentication.
Threat Intelligence Specialist Cyjax CISO Ian Thornton-Trump called him when he told me on September 19 that “CVE-2020-1472 was probably going to be armed fairly quickly.” He also warned that the exploit could be “devastating in the hands of cybercriminals.”
“Crypto errors are hard to notice, if ever, but these errors highlight the impact threat actors can have when they have enough time to exploit them,” says Jake Moore, cybersecurity specialist at ESET. He echoes everyone’s advice that the early update is vital, especially now that we know attackers have working exploit code. “The August 2020 patch is enough to thwart the attack,” Moore concludes, “but it acts as a further reminder that a good patch will save you from the tsunami of constant attacks.”
A Microsoft spokesperson confirmed, regarding the Zerologon exploit, that “a security update was released in August 2020. Customers who apply the update, or have automatic updates enabled, will be protected “.