Microsoft warns about ongoing attacks using Windows Zerologon flaw
Microsoft’s Threat Intelligence Center warns about an attack that could be caused by exploiting critical 10/10 rated CVE-2020-1472 security flaw.
According to the company, the ongoing attacks were observed multiple times during the last two weeks. Iranian-backed MuddyWater cyber-espionage group launched such attackers by using ZeroLogon exploits.
“MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching.”
Similar warning was also observed to be issued by the company, last month, on Sept 23rd when they urged IT admin to apply security updates as a part of the August 2020 patch Tuesday to defend against attacks using public ZeroLogon exploits.
ZeroLogon is a critical security flaw that attackers could use to elevate privileges to a domain administrator. When successfully exploited, they can take complete control over the domain, change any user’s password and execute any command.
A week later, Cisco Talos, also warned, “a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon.”
Microsoft is rolling out the fix for the ZeroLogon in two stages since it can cause authentication issues to some of the affected devices.
The first one, released on August 11, blocks Windows Active Directory Domain controllers from using unsecured RPC communication and logs auth requests from non-windows device that do not secure RPC channels to allow admin to fix or replace affected devices.
Microsoft will release another update, starting with the February 2021 Patch Tuesday update to enable enforcement mode which requires all network devices to use secure RPC, unless admin allows it.
The company clarified the steps regarding how to protect devices against the ongoing attacks using ZeroLogon exploits on 29th September. At that time, Microsoft outlined the update plan:
- Update the domain controllers to the released update August 11, 2020 or later
- Find which devices with vulnerable connection by monitoring event logs
- Address non-compliant devices,
- Enable enforcement mode to address CVE-2020-1472