The security intelligence team at Microsoft Corporation (NASDAQ:MSFT) said hackers are busy exploiting the CVE-2020-1472 Netlogon EoP vulnerability, aka Zerologon Vulnerability realtime world.
Secura BV, a Dutch Security Firm, disclosed about zerologon vulnerability on September 14, 2020. Since the revelation, multiple variants of POC (proof of concept) exploit code online are available for free download. Even the low skilled threat actors can exploit Zerologon vulnerability.
Hackers get access to Windows 2008
Zerologon vulnerability allows hackers to get access to Windows 2008 and the latest versions. CISA (Cybersecurity and Infrastructure Security Agency) in the US said the hackers can access the domain controller with no need for authentication. The attacker can access all active directory services on the server and also the total network.
CISA orders civilian agencies to apply the patch
CISA issued an emergency directive to all the central agencies to immediately apply the patch by the end of last May 2020. In an alert, the agency said the threat increases the unacceptable risk to the government’s IT systems. It urged private sector companies also to immediately apply the patch in their domain controllers of the Windows servers. In some instances, the attackers already get a privilege to become an admin without authentication. Microsoft warned yesterday that the attackers are actively using the vulnerability to gain access to the servers and the associated networks.
In a tweet, Microsoft said it is actively tracking threat actors’ activity, who are exploiting the Zerologon vulnerability. It observed the attacks where the public exploits are implemented in the attacker playbooks.
Microsoft further said it will continue to track the developments and issue an update with threat analytics soon. It urges all the customers to apply the patch for Zerologon vulnerability.
Several organizations are operating exposed systems. They have delayed implementation of the patch on concerns over disruption to the legacy apps.
The research engineering manager at Tenable, Scott Caveza, requested all the system administrators to immediately incorporate security updates. He said the flaw can be exploited with ease and a hacker takes over the entire windows domain. Therefore, all the system administrators should give priority to implement the patch and without any further delay.