Forensics , Governance & Risk Management , IT Risk Management

Warning: Attackers Exploiting Windows Server Vulnerability

Attacks Targeting 'Zerologon' Vulnerability Spotted in the Wild
Warning: Attackers Exploiting Windows Server Vulnerability

Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency have issued warnings that a critical vulnerability in Windows Server dubbed "Zerologon" is being actively exploited in the wild. They urge users to immediately apply an available partial patch.

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

CISA had previously ordered federal agencies to apply the patch by Tuesday before issuing its second alert on Thursday that the vulnerability, which is tracked as CVE-2020-1472, is now being exploited (see: CISA Pushes Government Agencies to Patch 'Zerologon' Flaw).

The Zerologon vulnerability was given a CVSS score of 10 - the most critical.

Microsoft Sounds Alarm

On Wednesday, the Microsoft Security Intelligence team issued its alert warning that attackers were exploiting the Zerologon vulnerability. "We have observed attacks where public exploits have been incorporated into attacker playbooks," Microsoft warns.

Neither CISA nor Microsoft offered details about how attackers were exploiting the Zerologon flaw. But proof-of-concept examples have been previously posted on GitHub and other websites.

Critical Flaw

The Zerologon vulnerability, which exists in several versions of Microsoft Windows Server, affects the operating system's Netlogon Remote Protocol, or MS-NRPC - an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft’s initial alert.

Microsoft is tracking active exploits of the Zerologon exploit. (Source: Microsoft)

Attackers have a large window to exploit the Zerologon vulnerability, says Dustin Childs of the Zero Day Initiative, which is part of security firm Trend Micro.

"The average mean time to patch is 60 to 150 days. This CVE was published in early August, so that would put the average time for implementing this patch between October 2020 and January 2021," Dustin says.

"After applying this [partial] patch, you’ll still need to make changes to your domain control," Childs notes. "Microsoft published guidelines to help administrators choose the correct settings."

In a separate analysis, Trend Micro researchers warned that attacks exploiting Zerologon, which can be executed in three seconds, potentially enable hackers to compromise the victim's server, disable the security feature, change passwords and take over the network.

Although the vulnerability cannot be remotely exploited, an attacker with network access can use it to gain persistence within a network, according to the Trend Micro analysis.

Brian Davis, director of federal security solutions at security firm Vectra, notes hackers can exploit the vulnerability to conduct Remote Desktop Protocol and remote procedure call reconnaissance after breaching a network. That can enable hackers to gain a foothold within the entire network or attempt to exfiltrate data, he explains.

"For external attackers, successfully detecting [command-and-control] from the compromised host in the form of external remote access, hidden HTTP/HTTPS/DNS tunnel or suspicious relay is required," Davis tells Information Security Media Group. "Remote Desktop Protocol reconnaissance and remote procedure call reconnaissance could be expected as external attackers find their way around the network."

Other Concerns

Microsoft issued the partial patch for the Zerologon vulnerability in August during its monthly Patch Tuesday rollout. Dutch security firm Secura published a blog post on Sept. 11, explaining how an attacker could exploit the bug to gain access to the domain controller and then take over an entire network if the fix was not applied.

In addition to the vulnerabilities in Windows Server, the Samba Team, a group of developers that provides Windows-based file and print services for Unix and Linux systems, issued its own advisory this week concerning a Zerologon patch for its users because Samba also uses the Netlogon protocol for its applications.

Additional Help

Breach detection toolmaker Cynet says it will release on Monday two free detection mechanisms to help organizations determine if a Zerologon exploit has been used in their IT environment.

One is a Yara rule that can scan for lsass.exe memory dumps. "The rule will alert upon detection of Mimikatz or other Zerologon exploits," Cynet says. The other is a Zerologon Analysis and Detection Tool, an executable file that “detects spikes in network traffic of lsass.exe from a given IP.”

Executive Editor Mathew Schwartz contributed to this report.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.