Microsoft Warns Threat Actors Continue to Exploit Zerologon Bug


Tech giant and feds this week renewed their urge to organizations to update Active Directory domain controllers.

Threat attackers continue to exploit the Microsoft Zerologon vulnerability, a situation that’s been a persistent worry to both the company and the U.S. government over the last few months. Both on Thursday renewed their pleas to businesses and end users to update  Windows systems with a patch Microsoft released in August to mitigate attacks.

Despite patching awareness efforts, Microsoft said it is still receiving “a small number of reports from customers and others” about active exploits of the bug tracked as CVE-2020-1472, or Zerologon, according to a blog post by Aanchal Gupta, vice president of engineering for MSRC, on Thursday.

The zero-day elevation-of-privilege vulnerability—rated as critical and first disclosed and patched on Aug. 11–could allow an attacker to spoof a domain controller account and then use it to steal domain credentials, take over the domain and completely compromise all Active Directory identity services.

The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.

Gupta urged organizations to deploy the Aug.11 patch or later release to every domain controller as the first in a four-step process to fix the vulnerability. Then administrators should monitor event logs to find which devices are making vulnerable connections; address identified non-compliant devices; and enable enforcement to address the bug in the overall environment, he said.

“Once fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts,” he said.

In addition to Microsoft’s patches, last month both Samba and 0patch also issued fixes for CVE-2020-1472 to fill in the some of the gaps that the official patch doesn’t address, such as end-of-life versions of Windows.

Microsoft’s latest advisory was enough for the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) to step in and issue a statement of its own Thursday warning organizations about continued exploit of the bug.

Given the severity of the vulnerability, the government has been nearly as active as Microsoft in urging people to update their systems. Interest from the feds likely has intensified since Microsoft’s warning earlier this month that an Iranian nation-state advanced persistent threat (APT) actor that Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) is now actively exploiting Zerologon.

“CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes,” according to the CISA alert.

The agency even has released a patch validation script to detect unpatched Microsoft domain controllers to help administers install the update. “If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services,” the CISA warned.

Zerologon has been a consistent thorn in Microsoft’s side since its discovery, a scenario that has escalated since early September thanks largely to the publication of four proof-of-concept exploits for the flaw on Github. Soon after the exploits were published, Cisco Talos researchers warned of a spike in exploitation attempts against Zerologon.

The U.S. government first stepped in to rally organizations to update after the publication of the exploits, with the DHS issuing a rare emergency directive that ordered federal agencies to patch their Windows Servers against the flaw by Sept. 21.

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles