Hackers Actively Using Windows Server Zerologon Exploits

When any critical security bug is publicized, scores of skilled attackers attempt to use it for their attacks. Something similar happened with a new critical security vulnerability, with a 10/10 CVSS score, tracked as CVE-2020-1472 and named Zerologon.

What is the latest update?

  • On its Twitter account, Microsoft posted a series of tweets with warnings about Zerologon exploits that are actively being used by attackers to target Windows domain controllers.
  • Microsoft also provided samples (.NET executables), that were being used to exploit the Netlogon elevation of privilege vulnerability (CVE-2020-1472).

Actions taken

  • Microsoft has urged all Windows Server administrators to immediately install the security update for CVE-2020-1472, by following the instructions in its support bulletin.
  • Just a few days ago, the DHS CISA released an emergency directive for government agencies to patch this extremely dangerous vulnerability by September 21.
  • In addition, Secura has also released a tool to check if a domain controller is vulnerable to the Zerologon attack (CVE-2020-1472).

Other domain controller threats

  • Last month, DarkSide ransomware had begun attacking organizations with customized attacks, targeting access to administrator accounts and Windows domain controllers.
  • In June, Tycoon ransomware was used to target an organization, attacking its domain controller and file servers, and locking the system administrators out of their systems.

Conclusion

Hackers are continuously attempting to exploit every major vulnerability affecting enterprise systems. To defend against such threats, organizations are also recommended to adopt a proactive approach to security. Experts recommend automated patch management and frequent configuration audits to prevent the exploitation of any recent vulnerabilities.