Microsoft warned on Thursday that malicious cyber actors have been exploiting the dangerous Zerologon vulnerability in Windows Server systems, which could allow an attacker to gain access to an organisation's Active Directory domain controllers.
"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon," Microsoft's security intelligence team wrote on Twitter.
"We have observed attacks where public exploits have been incorporated into attacker playbooks. We strongly recommend customers to immediately apply security updates," it added.
Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
The warning from the software giant comes just days after the US Department of Homeland Security (DHS) issued an advisory last week, directing all federal agencies to "apply the Windows Server August 2020 security update to all domain controllers" by 21st September.
The advisory said that the bug poses "an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action."
The details of Zerologon bug were first revealed by researchers from the Dutch cyber security firm Secura on 14th September. Since then, multiple proof-of-concept (PoC) exploits have appeared on internet in downloadable form.
Indexed as CVE-2020-1472, Zerologon is a critical elevation of privilege bug that could allow an attacker with a foothold on the local network to instantly become a Domain Admin, and gain access to an organisation's Active Directory domain controllers.
According to Secura, the vulnerability arises due to a flaw in the cryptographic algorithm in the Netlogon Remote Protocol (MS-NRPC), which is used to authenticate users and machines on Windows domain controllers.
Researchers have named the bug 'Zerologon,' because it allows attackers with minimal access to a vulnerable network to login to the Active Directory by sending a string of zeros in messages that use the Netlogon protocol. The vulnerability impacts most supported versions of Windows Server, from Server 2008 through Server 2019.
In August, Microsoft released a fix for Zerologon, saying the chances of vulnerability's actual exploitation were "less likely".
The company has now published a threat analytics report to help admins assess the vulnerability of their networks, although the report is available only to Office 365 subscribers.
"Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations and detection details designed to empower SecOps to detect and mitigate this threat," the company said.
Last week, cyber security firm 0patch released its own "micropatch" for the bug, stating that not all systems were compatible with Microsoft's fix.
0patch said that its micropatch was logically identical to Microsoft's fix and "primarily targeted at Windows Server 2008 R2 users without Extended Security Updates".
Samba, a file-sharing utility that enables Windows, Linux and Mac to communicate with one another, has also released its own Zerologon patch.
The Samba utility uses the Netlogon protocol, and therefore it also suffers from the vulnerability.
Six per cent of Google Cloud buckets are misconfigured and vulnerable to unauthorised access, research reveals
Finding exposed cloud databases on internet is not a difficult job, according to researchers
Post-Covid-19, security is no longer an ‘IT issue’ – it’s a C-suite item and a fundamental strategic priority
Chinese state-sponsored cyber actors are targeting bugs in F5, Citrix, Pulse and Microsoft Exchange Servers, US agencies warn
Organisations need to patch their systems immediately, they advise
The vulnerability could allow an attacker to have access to an organisation's Active Directory domain controllers
Chinese intelligence is building detailed profiles on tens of thousands of citizens worldwide, leaked database suggests
Names include 52,000 Americans, 35,000 Australians, 10,000 Indians, 9,700 British, 5,000 Canadians, 1,400 Malaysians and 793 New Zealanders