\nMicrosoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.<\/p>\n
\u2014 Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020<\/a><\/p><\/blockquote>\n
The protocol-level hole affects Windows Server and other software that implements MS-NRPC<\/a> to provide domain controllers, such as Samba<\/a>. The vulnerability has been given a sweat-inducing CVSS score of 10 out of 10 in severity.<\/p>\n
<\/p>\n
As you’re scrambling to patch the scary ZeroLogon hole in Windows Server, don’t forget Samba \u2013 it’s also affected<\/h2>\n
READ MORE<\/span><\/a><\/div>\n
Sysadmins can’t say they weren’t warned about this flaw and the urgent need to patch it. Microsoft emitted its fix for CVE-2020-1472 in the August Patch Tuesday<\/a> bundle, and even back then experts were warning the flaw was a critical security risk and addressing it should be a high priority.<\/p>\n
“It\u2019s rare to see a critical-rated elevation-of-privilege bug,” Trend Micro-ZDI’s Dustin Childs said at the time<\/a>, “but this one deserves it.”<\/p>\n
Things got real serious when binary-pokers began to post their proof-of-concept code to exploit the flaw. This prompted the US government’s computer security agency CISA to take the rare step of issuing an emergency patch directive<\/a>, urging everyone to install fixes for ZeroLogon when possible.<\/p>\n
“This attack has huge impact,” said CISA. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged a device to an on-premise network port) to completely compromise the Windows domain.”<\/p>\n
As noted above, installing the August Patch Tuesday bundle will clear up this vulnerability on Windows boxes at least, and protect servers from attack. Admins would be wise to scan their boxes for suspicious activity or any indicators of compromise<\/a>, as at this point there is a chance machines, particularly those reachable from the internet, have already been exploited.<\/p>\n
Microsoft, meanwhile, said it has additional recommendations for those using the Microsoft 365 suite. “Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center,” said the MICROS~1 team. “The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat.” \u00ae<\/p>\n