Microsoft warns ‘ZeroLogon’ Windows Server vulnerability is being exploited in the wild

An exploit in Microsoft Corp.’s Windows Server is actively being exploited in the wild even though a patch for the critical vulnerability was issued last month.

Dubbed “ZeroLogon” by cybersecurity professionals and “Netlogon EoP” by Microsoft, the vulnerability, patched in the Microsoft Patch Tuesday security update in August is rated with a critical vulnerability score of 10, the highest possible rating on the CVE scale. The vulnerability, known as an “elevation of privilege,” allows an attacker to gain a connection to a vulnerable domain controller using the Netlogon Remote Protocol and obtain domain admin rights.

Although it was patched in August, cybersecurity firm Secura was the first to break down earlier this month how the vulnerability works. In its words, it’s an “interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click,” and that “all that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.”

Security vulnerabilities are a dime a dozen, but where this one becomes more interesting is that Microsoft itself is warning about it being exploited in the wild. The warning initially came from the Microsoft Security Intelligence team on Twitter.

The simple solution to combat the Zerologon vulnerability is to install the August 2020 patch, but the problem is that many users of Windows Server are still not actively updating their installations.

“Even though CISA issued a directive to apply the patch that Microsoft released on Aug. 11, we can see patch management is not as simple as flipping a switch,” Terence Jackson, chief information security officer at privileged access management firm Thycotic Software Ltd., told SiliconANGLE. “Due to the nature of this vulnerability attackers will continue look for companies vulnerable and attempt to exploit. If an attacker obtains domain admin on a network, it is essentially game over. Companies and agencies should identify their vulnerable servers and patch them as soon as possible.”

Vulnerabilities such as ZeroLogon provide a sobering reminder of the weaknesses of cybersecurity tools that rely too heavily on signatures, said Brian Davis, director of federal security solutions at artificial intelligence threat detection company Vectra AI Inc. “They deliver some level of protection against this exploit, albeit after the fact, even too late for some,” he said. “Many federal agencies are unwilling to continue to put their faith in this all too familiar cadence, beginning with security researchers finding previously unknown vulnerabilities, reacting with a new signature, only for the exploits to change slightly and circumvent these same protections.”

Scott Caveza, research engineering manager at cyber exposure firm Tenable Inc., links the Secura post to the now in-the-wild exploits.

“Shortly after the blog post from Secura was published, detailing the impact and technical information about ZeroLogon, multiple proof-of-concept scripts emerged,” Caveza explains. “In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we’re now seeing play out.”

Image: Microsoft

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.