Microsoft warns of ongoing exploits against Zerologon vulnerability (CVE-2020-1472)

Microsoft issued a new warning of ongoing exploits against a Netlogon protocol vulnerability dubbed Zerologon (CVE-2020-1472).

In the blog post, Microsoft said they had received a small number of reports from customers and others about continued exploit activity against the Zerologon vulnerability.

The issue was patched as part of the August security updates issued on August 11, 2020.

“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network,” Microsoft stated in the advisory in August.

In a tweet sent out September 23, Microsoft said they had spotted active exploits in wild of the Netlogon vulnerability CVE-2020-1472.

In addition, cybersecurity experts also warned of publicly available exploit code that was published for CVE-2020-1472 that could allow attackers to hijack Windows domain controllers.

“The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords,” security expert Tom Tervoort of Secura explained.

“This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.”

Earlier this month, advanced persistent threat actors (APTs) were also discovered exploiting multiple legacy internet-facing vulnerabilities in combination with Zerologon to target government networks, critical infrastructure, and elections organizations.

To that end, Microsoft “strongly encourages” organizations to apply the security updates to every domain controller as the “most critical first step” in addressing CVE-2020-1472.

Related Articles