In a tweet sent out Wednesday night, Microsoft said they have spotted active exploits in wild of a Netlogon vulnerability CVE-2020-1472 dubbed Zerologon.
Just last week, security experts warned when publicly available exploit code was published for a Microsoft Netlogon vulnerability CVE-2020-1472 that could allow attackers to hijack Windows domain controllers.
Now, Microsoft confirmed active exploits of Zerologon in a series of tweets.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft said in the tweet.
Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
Microsoft further added that Microsoft 365 customers can leverage some threat analytics reports from Microsoft Defender Security Center to help detect and mitigate the threat.
We’ll continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat & vulnerability management data to see patching status. pic.twitter.com/XTGgAHcw9S
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
Microsoft issued a patch for the vulnerability as part of the August security updates.
“An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network,” Microsoft explained.
Tom Tervoort of Secura first discovered the severe zerologon vulnerability and wrote about it in a blog post.
Secura also published a test tool on Github and also a whitepaper with more details on the vulnerability and exploit.