If your business is running Windows Server, you would be wise to check that you’re patched against the Zerologon vulnerability (also known as CVE-2020-1472.)
The Zerologon vulnerability, discovered by researchers at Secura, puts domain controllers at risk of hijacking by attackers seeking administrator access.
In a technical paper, Secura’s Tom Tervoort shared details of the vulnerability which is said to be easy to exploit, and published a tool which administrators could use to test whether their domain controllers were vulnerable.
Perhaps predictably, there are now several proof-of-concept exploits for the Zerologon vulnerability publicly available.
The good news is that in August Microsoft released a fix against the vulnerability as part of its regular patch update.
The bad news is that there’s a good chance some organisations still haven’t applied them, and Microsoft says that hackers are now actively exploiting Zerologon in real-world attacks.
Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
Last week the Department of Homeland Security (DHS), clearly anticipating that organisations would come under attack via the flaw, issued an emergency directive ordering federal agencies to apply patches against the vulnerability by the end of Monday September 21 2020.
Other software which supports the Microsoft Netlogon Remote Protocol (MS-NRPC), such as Samba, is also vulnerable to the security hole and should likewise be updated.
If there are active attacks in the wild, if the DHS is ordering federal agencies to defend themselves, and if Zerologon is so easy to exploit, don’t you think your business should be patching itself pronto?
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.