The Windows operating system has been an all-time favorite target for several cyber attackers due to its massive market share and its predisposition to a large number of vulnerabilities. Recently, a vulnerability was identified by researchers in Windows servers that could allow an attacker to access the internal networks and become domain admin.
What was found?
Identified and tracked as CVE-2020-1472, the flaw may allow an attacker to become a domain admin via a new attack dubbed Zerologon.
The Zerologon attack is based on the exploitation of the privilege escalation vulnerability, CVE-2020-1472, which resides in Netlogon.
The Netlogon authentication mechanism is primarily used to verify login requests in the Windows Client Authentication Architecture.
To exploit this vulnerability, the attacker needs to connect to a domain controller via a Netlogon secure channel connection using the Netlogon Remote Protocol (MS-NRPC).
Once connected, the attacker can obtain domain administrator access and use it in carrying out malicious activities.
Other Windows threats
In August, an updated variant of Lemon_Duck cryptomining malware was seen targeting the SMBGhost (CVE-2020-0796) vulnerability in the Windows SMBv3 Client/Server RCE
In July, Microsoft had patched a wormable (i.e. self-propagating) vulnerability dubbed Sigred that affected Windows DNS. Tracked as CVE-2020-1350, this vulnerability is capable of jumping across vulnerable machines without any user interaction.
In its August 2020 Patch Tuesday security updates, Microsoft had provided a temporary fix, and a complete patch is expected by February 2021. Besides these updates, users are recommended to apply the patches for all the deployed applications, firmware, and Windows OS to stay protected.