Warning: Attackers Exploiting Windows Server VulnerabilityAttacks Targeting 'Zerologon' Vulnerability Spotted in the Wild
Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency have issued warnings that a critical vulnerability in Windows Server dubbed "Zerologon" is being actively exploited in the wild. They urge users to immediately apply an available partial patch.
CISA had previously ordered federal agencies to apply the patch by Tuesday before issuing its second alert on Thursday that the vulnerability, which is tracked as CVE-2020-1472, is now being exploited (see: CISA Pushes Government Agencies to Patch 'Zerologon' Flaw).
The Zerologon vulnerability was given a CVSS score of 10 - the most critical.
Microsoft Sounds Alarm
On Wednesday, the Microsoft Security Intelligence team issued its alert warning that attackers were exploiting the Zerologon vulnerability. "We have observed attacks where public exploits have been incorporated into attacker playbooks," Microsoft warns.
Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat.— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
Neither CISA nor Microsoft offered details about how attackers were exploiting the Zerologon flaw. But proof-of-concept examples have been previously posted on GitHub and other websites.
The Zerologon vulnerability, which exists in several versions of Microsoft Windows Server, affects the operating system's Netlogon Remote Protocol, or MS-NRPC - an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft’s initial alert.
Attackers have a large window to exploit the Zerologon vulnerability, says Dustin Childs of the Zero Day Initiative, which is part of security firm Trend Micro.
"The average mean time to patch is 60 to 150 days. This CVE was published in early August, so that would put the average time for implementing this patch between October 2020 and January 2021," Dustin says.
"After applying this [partial] patch, you’ll still need to make changes to your domain control," Childs notes. "Microsoft published guidelines to help administrators choose the correct settings."
In a separate analysis, Trend Micro researchers warned that attacks exploiting Zerologon, which can be executed in three seconds, potentially enable hackers to compromise the victim's server, disable the security feature, change passwords and take over the network.
Although the vulnerability cannot be remotely exploited, an attacker with network access can use it to gain persistence within a network, according to the Trend Micro analysis.
Brian Davis, director of federal security solutions at security firm Vectra, notes hackers can exploit the vulnerability to conduct Remote Desktop Protocol and remote procedure call reconnaissance after breaching a network. That can enable hackers to gain a foothold within the entire network or attempt to exfiltrate data, he explains.
"For external attackers, successfully detecting [command-and-control] from the compromised host in the form of external remote access, hidden HTTP/HTTPS/DNS tunnel or suspicious relay is required," Davis tells Information Security Media Group. "Remote Desktop Protocol reconnaissance and remote procedure call reconnaissance could be expected as external attackers find their way around the network."
Microsoft issued the partial patch for the Zerologon vulnerability in August during its monthly Patch Tuesday rollout. Dutch security firm Secura published a blog post on Sept. 11, explaining how an attacker could exploit the bug to gain access to the domain controller and then take over an entire network if the fix was not applied.
In addition to the vulnerabilities in Windows Server, the Samba Team, a group of developers that provides Windows-based file and print services for Unix and Linux systems, issued its own advisory this week concerning a Zerologon patch for its users because Samba also uses the Netlogon protocol for its applications.
Breach detection toolmaker Cynet says it will release on Monday two free detection mechanisms to help organizations determine if a Zerologon exploit has been used in their IT environment.
One is a Yara rule that can scan for lsass.exe memory dumps. "The rule will alert upon detection of Mimikatz or other Zerologon exploits," Cynet says. The other is a Zerologon Analysis and Detection Tool, an executable file that “detects spikes in network traffic of lsass.exe from a given IP.”
Executive Editor Mathew Schwartz contributed to this report.