Security Market Segment LS
Friday, 25 September 2020 08:41

Microsoft says Zerologon being exploited, urges users to patch Featured

By
Microsoft says Zerologon being exploited, urges users to patch Image by Clker-Free-Vector-Images from Pixabay

Software giant Microsoft has warned that a flaw known as Zerologon is being actively exploited and urged users to patch their systems.

The flaw affects all supported versions of Windows. The vulnerability is present in Microsoft Windows Netlogon Remote Protocol, a core authentication component of Active Directory.

It allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services.

Earlier this week, US federal agencies were warned about patching the hole. Microsoft released a patch for the flaw last month and updated it last Tuesday.

In a series of tweets on Thursday, Microsoft said it was "actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks."

Senior security specialist Tom Tervoort of the firm Secura discovered the flaw. In a joint advisory with technical director Ralph Moonen, the pair said: "Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint."

Tervoort and Moonen said the issue was caused by a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords.

"This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf," they wrote.

Commenting on the flaw, Scott Caveza, research engineering manager at security shop Tenable, said: "Shortly after the blog post from Secura was published, detailing the impact and technical information about Zerologon, multiple proof-of-concept scripts emerged.

"In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we're now seeing play out.

"Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we're seeing attacks in the wild. Administrators should prioritise patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and [will be] integrated into malicious campaigns.

"Several samples of malicious .NET executables with the filename 'SharpZeroLogon.exe' have been uploaded to VirusTotal. Microsoft Security Intelligence has shared sample SHA-256 hashes to aid defenders in investigating any exploited systems."

Read 2648 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments