Microsoft has warned Windows 10 customers that it has received “a small number of reports” of attacks on its Netlogon protocol, which it corrected in August.
The Windows maker issued another alert on Thursday following its warning in September that attackers were exploiting the elevation of privilege vulnerability affecting the Netlogon Remote (MS-NRPC) protocol.
It is a protocol used by administrators to authenticate Windows Server as a domain controller. The flaw it contained was serious enough that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to apply Microsoft’s fix for the bug – tracked as CVE-2020-1472 but also called Zerologon – within three days of posting in the Tuesday August update.
SEE: Security awareness and training policy (TechRepublic Premium)
Defensive security researchers found the bug to be easy to exploit, making it a prime target for more opportunistic attackers. But when Microsoft released the patch on Tuesday, August 11, some system administrators were unaware of its severity.
Attackers could exploit the flaw to run malware on a network device after the spoofing of Active Directory domain controller accounts. As a weapon, it had the added benefit of Zerologon proof of concept exploits available to the public shortly after Microsoft released its patch.
CISA warned agencies to fix the flaw quickly, as Windows Server domain controllers are widely used in US government networks and the bug had a rare severity rating of 10 out of 10. This prompted CISA to ask agencies to ‘Apply the patch the same week that Microsoft’s August 11 patch was released.
Microsoft has updated its support document for the bug for clarity. It recommends that administrators update domain controllers with the hotfix, monitor the logs of devices making connections to the server, and enable Enforce mode.
Microsoft and CISA are particularly concerned that the flaw could be used by cyber attackers to disrupt the US election. In September, the company warned that Chinese, Iranian and Russian hackers had targeted the Biden and Trump campaigns.
“We have contacted CISA, which has issued an additional alert to remind national and local agencies, including those involved in the US election, to take the necessary measures to address this vulnerability,” Microsoft said.
The bug was serious enough that Microsoft issued a registry key that helped administrators enable “ enforce mode ” before the company made enforcement mandatory on February 9, 2021.