Microsoft reports continued exploitation of the zerologon bug, a privilege escalation vulnerability in Microsoft’s Windows server operating system. The enterprise software giant and CISA issued a second warning in two months, urging users to patch up all systems â€œuntil every domain controller is updated.â€
The Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have alerted federal and state organizations to patch the critical zerologon bug, CVE-2020-1472. The fix for the vulnerability was originally released with Microsoft’s August Patch Tuesday.
This is the second time in two months that CISA warned organizations to fix unpatched systems still vulnerable to zerologon â€” a privilege escalation vulnerability in Microsoft’s Windows server’s NetLogon that exploits the Netlogon Remote Protocol (MS-NRPC) operating systems. The federal agency previously issued a joint Emergency Directive (ED) 20-04Opens a new window with the Department of Homeland Security (DHS), ordering federal agencies and the private sector to fix systems.
According to Microsoft’s security update guideOpens a new window , â€œAn elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).â€ CVE-2020-1472 is rated â€˜Critical’ on the severity index and has the highest possible CVSS score of 10.
MS-NRPC is a core authentication component of Active DirectoryOpens a new window . In the emergency directive, CISA and DHA warned that â€œan unauthenticated attacker with network access to a domain controller can completely compromise all Active Directory identity services.â€ Upon exploitation, threat actors can use remote access tools such as a virtual private network (VPN) and remote desktop protocol (RDP) to gain access to enterprise networks.
According to SecuraOpens a new window , the Zerologon vulnerability â€œallows an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.â€
Earlier in October, this privilege escalation vulnerability was being exploited in combination with multiple legacy vulnerabilities by advanced persistent threat (APT) actors. This tactic is known as vulnerability chaining, which â€œexploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.â€
Satnam Narang, Staff Research Engineer at Tenable, told IT VoiceOpens a new window , â€œDespite multiple warnings about one such vulnerability â€“ Zerologon â€“ from both government agencies and Microsoft, attackers continue to actively exploit the flaw in the wild. There is a new report that ransomware groups are also using the flaw as part of their attack toolkit.â€
Microsoft announced it would release the fix in two-phasesOpens a new window : Initial Deployment Phase (which began in August) and Enforcement Phase (slated for February 9, 2021 roll-out).
Since the vulnerability code is available in the wild, unpatched domain controllers being used in federal networks are highly vulnerable and can open the cyberattack floodgates for hackers.
Hence, CISA is urging administrators to patch domain controllers immediately. Narang adds, â€œThis vulnerability remains a hot commodity for attackers as each and every domain controller must be updated to thwart an attack. CISA warned that cybercriminals can exploit a vulnerable system within minutes.â€
CISA also released a patch detection script to ensure all systems are fixed. The script runs on an elevated PowerShell controller and is available on GitHubOpens a new window . â€œThere is a reason attackers continue to target Zerologon â€“ they continue to find vulnerable systems. This latest alert underscores the importance for organisations to apply the Zerologon patches as soon as possible.â€