Zerologon Attacks Against Microsoft DCs Snowball in a Week

zerologon active attacks

The attempted compromises, which could allow full control over Active Directory identity services, are flying thick and fast just a week after active exploits of CVE-2020-1472 were first flagged.

A spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, known as the Zerologon bug, continues to plague businesses.

That’s according to researchers from Cisco Talos, who warned that cybercriminals are redoubling their efforts to trigger the elevation-of-privilege bug in the Netlogon Remote Protocol, which was addressed in the August Microsoft Patch Tuesday report. Microsoft announced last week that it had started observing active exploitation in the wild: “We have observed attacks where public exploits have been incorporated into attacker playbooks,” the firm tweeted on Wednesday.

Now, the volume of those attacks is ramping up, according to Cisco Talos, and the stakes are high. Netlogon, available on Windows domain controllers, is used for various tasks related to user- and machine-authentication. A successful exploit allows an unauthenticated attacker with network access to a domain controller (DC) to completely compromise all Active Directory identity services, according to Microsoft.

“This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials,” added Cisco Talos, in a writeup on Monday. “The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality.”

Four proof-of-concept (PoC) exploits were recently released for the issue, which is a critical flaw rating 10 out of 10 on the CvSS severity scale. That prompted the U.S. Cybersecurity and Infrastructure Security Agency (PDF) issued a dire warning that  the “vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.” It also mandated that federal agencies patch their Windows Servers against Zerologon, in a rare emergency directive issued by the Secretary of Homeland Security.

Two-Phased Patching

Microsoft’s patch process for Zerologon is a phased, two-part rollout.

The initial patch for the vulnerability was issued as part of the computing giant’s August 11 Patch Tuesday security updates, which addresses the security issue in Active Directory domains and trusts, as well as Windows devices.

However, to fully mitigate the security issue for third-party devices, users will need to not only update their domain controllers, but also enable “enforcement mode.” They should also monitor event logs to find out which devices are making vulnerable connections and address non-compliant devices, according to Microsoft.

“Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices,” it said. “At that time, you will not be able to disable enforcement mode.”

Last week, both Samba and 0patch issued fixes for CVE-2020-1472, to fill in the some of the gaps that the official patch doesn’t address, such as end-of-life versions of Windows, in the case of the latter.

Samba, a third-party file-sharing utility for swapping materials between Linux and Windows systems, relies on the Netlogon protocol, and thus suffers from the vulnerability. The bug exists when Samba is used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC),


Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.