An exploit in Microsoft Corp.’s Windows Server is actively being exploited in the wild even though a patch for the critical vulnerability was issued last month.

Dubbed “ZeroLogon” by cybersecurity professionals and “Netlogon EoP” by Microsoft, the vulnerability, patched in the Microsoft Patch Tuesday security update in August is rated with a critical vulnerability score of 10, the highest possible rating on the CVE scale. The vulnerability, known as an “elevation of privilege,” allows an attacker to gain a connection to a vulnerable domain controller using the Netlogon Remote Protocol and obtain domain admin rights.

Although it was patched in August, cybersecurity firm Secura was the first to break down earlier this month how the vulnerability works. In its words, it’s an “interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click,” and that “all that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.”

0-Domain Admin in 10 seconds with Zerologon (CVE-2020-1472)

Using @_dirkjan 's NetrServerPasswordSet2 commit to impacket 😀🥳 pic.twitter.com/PELfKJCQLV

— Rich Warren (@buffaloverflow) September 14, 2020

Security vulnerabilities are a dime a dozen, but where this one becomes more interesting is that Microsoft itself is warning about it being exploited in the wild. The warning initially came from the Microsoft Security Intelligence team on Twitter.

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.

— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

The simple solution to combat the Zerologon vulnerability is to install the August 2020 patch, but the problem is that many users of Windows Server are still not actively updating their installations.

“Even though CISA issued a directive to apply the patch that Microsoft released on Aug. 11, we can see patch management is not as simple as flipping a switch,” Terence Jackson, chief information security officer at privileged access management firm Thycotic Software Ltd., told SiliconANGLE. “Due to the nature of this vulnerability attackers will continue look for companies vulnerable and attempt to exploit. If an attacker obtains domain admin on a network, it is essentially game over. Companies and agencies should identify their vulnerable servers and patch them as soon as possible.”

Vulnerabilities such as ZeroLogon provide a sobering reminder of the weaknesses of cybersecurity tools that rely too heavily on signatures, said Brian Davis, director of federal security solutions at artificial intelligence threat detection company Vectra AI Inc. “They deliver some level of protection against this exploit, albeit after the fact, even too late for some,” he said. “Many federal agencies are unwilling to continue to put their faith in this all too familiar cadence, beginning with security researchers finding previously unknown vulnerabilities, reacting with a new signature, only for the exploits to change slightly and circumvent these same protections.”

Scott Caveza, research engineering manager at cyber exposure firm Tenable Inc., links the Secura post to the now in-the-wild exploits.

“Shortly after the blog post from Secura was published, detailing the impact and technical information about ZeroLogon, multiple proof-of-concept scripts emerged,” Caveza explains. “In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we’re now seeing play out.”

Image: Microsoft