Microsoft has warned that attackers are actively using the Windows Server Zerologon exploits in attacks and advises all Windows administrators to install the necessary security updates.
As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical 10/10 rated security vulnerability known as ‘CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability’.
This vulnerability has been named ‘Zerologon’ by cybersecurity firm Secura, and when exploited, allows attackers to elevate their privileges to a domain administrator and take control over a domain.
Soon after Secura’s writeup on how they discovered the vulnerability, researchers quickly released proof-of-concept exploits demonstrating how this vulnerability could be exploited.
Microsoft warns of active Zerologon attacks
In a series of Tweets tonight, Microsoft is warning that Zerologon exploits are actively being used in attacks and that admins should install the necessary security updates immediately.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.”
“Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat.”
“We’ll continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat & vulnerability management data to see patching status,” Microsoft tweeted tonight.
Included in these tweets are three samples that Microsoft states were used in the attacks to exploit the ZeroLogon CVE-2020-1472 Netlogon elevation of privilege vulnerability.
The samples are .NET executables with the filename ‘SharpZeroLogon.exe’ and can be found on VirusTotal [1, 2, 3].
https://csirt.cy/wp-content/uploads/2020/09/sharpzerologon-300x147.jpg 300w, https://csirt.cy/wp-content/uploads/2020/09/sharpzerologon-768x376.jpg 768w" alt="" width="821" height="402" class="size-full wp-image-7026 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />
SharpZeroLogon.exe
In one of the samples examined, the NTLM hash of the domain controller will be changed to 31d6cfe0d16ae931b73c59d7e0c089c0, which is an empty password.
At this time, Microsoft is not sharing further details about the attacks.
All Windows Server administrators are strongly advised to install the security update for CVE-2020-1472 using the Microsoft support bulletin’s instructions.