Microsoft issues warning about actively exploited Zerologon vulnerability in Windows
It is just days since the CISA (Cybersecurity and Infrastructure Security Agency) issued an emergency warning about a critical Windows vulnerability. Now Microsoft has issued a warning that the vulnerability is being actively exploited and the company is "actively tracking threat actor activity".
The Netlogon EoP vulnerability (CVE-2020-1472) is concerning not just because of its severity, but because of the fact that it can be exploited in a matter of seconds. The security issue affects Windows Server 2008 and above, and enables an attacker to gain admin control of a domain.
See also:
- Alleged source code for Windows XP and other Microsoft software leaks online
- CISA issues emergency warning over critical Windows vulnerability
- Microsoft acknowledges that Windows 10 KB4568831 update is crashing Lenovo ThinkPads
Writing on Twitter, the company said: "Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks".
The security issue was discovered by Tom Tervoort, a security researcher at Secura, and the company went on to publish a technical paper and a proof-of-concept tool.
Microsoft's security intelligence team posted several tweets about the vulnerability:
Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat.
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
Sample exploit IOCs (SHA-256): b9088bea916e1d2137805edeb0b6a549f876746999fbb1b4890fb66288a59f9d, 24d425448e4a09e1e1f8daf56a1d893791347d029a7ba32ed8c43e88a2d06439, c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
Microsoft has already issued a patch for the vulnerability, and users are encouraged to install this as soon as possible if they have not done so already. There is also a micropatch available from 0patch aimed at people for whom Microsoft's official patch poses a compatibility issue.
Image credit: Walter Cicchetti / Shutterstock