UPDATED 22:50 EDT / SEPTEMBER 24 2020

SECURITY

Microsoft warns ‘ZeroLogon’ Windows Server vulnerability is being exploited in the wild

An exploit in Microsoft Corp.’s Windows Server is actively being exploited in the wild even though a patch for the critical vulnerability was issued last month.

Dubbed “ZeroLogon” by cybersecurity professionals and “Netlogon EoP” by Microsoft, the vulnerability, patched in the Microsoft Patch Tuesday security update in August is rated with a critical vulnerability score of 10, the highest possible rating on the CVE scale. The vulnerability, known as an “elevation of privilege,” allows an attacker to gain a connection to a vulnerable domain controller using the Netlogon Remote Protocol and obtain domain admin rights.

Although it was patched in August, cybersecurity firm Secura was the first to break down earlier this month how the vulnerability works. In its words, it’s an “interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click,” and that “all that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.”

Security vulnerabilities are a dime a dozen, but where this one becomes more interesting is that Microsoft itself is warning about it being exploited in the wild. The warning initially came from the Microsoft Security Intelligence team on Twitter.

The simple solution to combat the Zerologon vulnerability is to install the August 2020 patch, but the problem is that many users of Windows Server are still not actively updating their installations.

“Even though CISA issued a directive to apply the patch that Microsoft released on Aug. 11, we can see patch management is not as simple as flipping a switch,” Terence Jackson, chief information security officer at privileged access management firm Thycotic Software Ltd., told SiliconANGLE. “Due to the nature of this vulnerability attackers will continue look for companies vulnerable and attempt to exploit. If an attacker obtains domain admin on a network, it is essentially game over. Companies and agencies should identify their vulnerable servers and patch them as soon as possible.”

Vulnerabilities such as ZeroLogon provide a sobering reminder of the weaknesses of cybersecurity tools that rely too heavily on signatures, said Brian Davis, director of federal security solutions at artificial intelligence threat detection company Vectra AI Inc. “They deliver some level of protection against this exploit, albeit after the fact, even too late for some,” he said. “Many federal agencies are unwilling to continue to put their faith in this all too familiar cadence, beginning with security researchers finding previously unknown vulnerabilities, reacting with a new signature, only for the exploits to change slightly and circumvent these same protections.”

Scott Caveza, research engineering manager at cyber exposure firm Tenable Inc., links the Secura post to the now in-the-wild exploits.

“Shortly after the blog post from Secura was published, detailing the impact and technical information about ZeroLogon, multiple proof-of-concept scripts emerged,” Caveza explains. “In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we’re now seeing play out.”

Image: Microsoft

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU