Microsoft has confirmed that real-world cyber criminal activity is coalescing around the highly dangerous Zerologon vulnerability and warned users who have not yet patched it to do so as a matter of extreme urgency.
Described as a “near perfect” exploit, Zerologon, or CVE-2020-1472 to give it its official designation, is an elevation-of-privilege vulnerability through which a connection to a vulnerable domain controller using the Netlogon Remote Protocol (NRP) can obtain domain admin rights.
According to a whitepaper published by Secura, the only thing a malicious actor needs to take advantage of it is the ability to set up a TCP connection with a vulnerable domain controller – which means they need to have a foothold on the network but don’t need domain credentials.
CVE-2020-1472 was first revealed in August’s Patch Tuesday, and was highlighted then as one to watch by Gill Langston, head security nerd at Solarwinds MSP, who told Computer Weekly at the time that it was worth taking the time to read and review its implications.
In a series of statements posted to Twitter early on 24 September, Microsoft’s Security Intelligence unit said: “Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
“Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations and detection details designed to empower SecOps to detect and mitigate this threat.”
Microsoft added: “We’ll continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat and vulnerability management data to see patching status.”
Such is the severity of the Zerologon vulnerability that it prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive last week, legally requiring federal agencies to patch their systems immediately.
The CISA said it had determined that Zerologon posed an “unacceptable risk “ and required “immediate and emergency action”. It imposed a deadline of 11.59pm local time on Monday 21 September to do so.
Read more about Microsoft security
- Migrating to or operating cloud-based Microsoft 365 can bring with it a host of problems and misconfigurations. Check out 12 best practices to tighten Microsoft 365 security.
- Microsoft is enhancing products with additional features to address content security, enabling businesses to minimise risks while employees continue to work at home.
- Microsoft 365 security problems can double the time it takes to contain a breach, according to a new survey. Check out best practices and operational strategies to fix them.
Satnam Narang, staff research engineer at Tenable, described Zerologon as a “game over” situation for any organisation unlucky or foolhardy enough to fall victim to it, and urged prompt attention.
“The impact of the flaw is limited to an attacker who has already gained a foothold inside an organisation’s network, but despite this limitation, an attacker could leverage any number of existing unpatched vulnerabilities to breach their target network before pivoting to compromise the vulnerable domain controller,” said Narang. He added that Zerologon could also be a “compelling addition” to ransomware gangs’ toolkits.
“We strongly encourage organisations to apply the patches provided by Microsoft immediately,” he said. “If your domain controllers are running unsupported versions that are no longer receiving security updates from Microsoft, it is imperative to upgrade those as soon as possible.”