The Windows operating system has been an all-time favorite target for several cyber attackers due to its massive market share and its predisposition to a large number of vulnerabilities. Recently, a vulnerability was identified by researchers in Windows servers that could allow an attacker to access the internal networks and become domain admin.
What was found?
Identified and tracked as CVE-2020-1472, the flaw may allow an attacker to become a domain admin via a new attack dubbed Zerologon.
- The Zerologon attack is based on the exploitation of the privilege escalation vulnerability, CVE-2020-1472, which resides in Netlogon.
- The Netlogon authentication mechanism is primarily used to verify login requests in the Windows Client Authentication Architecture.
- To exploit this vulnerability, the attacker needs to connect to a domain controller via a Netlogon secure channel connection using the Netlogon Remote Protocol (MS-NRPC).
- Once connected, the attacker can obtain domain administrator access and use it in carrying out malicious activities.
Other Windows threats
- In August, an updated variant of Lemon_Duck cryptomining malware was seen targeting the SMBGhost (CVE-2020-0796) vulnerability in the Windows SMBv3 Client/Server RCE
- In July, Microsoft had patched a wormable (i.e. self-propagating) vulnerability dubbed Sigred that affected Windows DNS. Tracked as CVE-2020-1350, this vulnerability is capable of jumping across vulnerable machines without any user interaction.
In its August 2020 Patch Tuesday security updates, Microsoft had provided a temporary fix, and a complete patch is expected by February 2021. Besides these updates, users are recommended to apply the patches for all the deployed applications, firmware, and Windows OS to stay protected.