Security Market Segment LS
Friday, 25 September 2020 08:41

Microsoft says Zerologon being exploited, urges users to patch Featured

By
Microsoft says Zerologon being exploited, urges users to patch Image by Clker-Free-Vector-Images from Pixabay

Software giant Microsoft has warned that a flaw known as Zerologon is being actively exploited and urged users to patch their systems.

The flaw affects all supported versions of Windows. The vulnerability is present in Microsoft Windows Netlogon Remote Protocol, a core authentication component of Active Directory.

It allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services.

Earlier this week, US federal agencies were warned about patching the hole. Microsoft released a patch for the flaw last month and updated it last Tuesday.

In a series of tweets on Thursday, Microsoft said it was "actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks."

Senior security specialist Tom Tervoort of the firm Secura discovered the flaw. In a joint advisory with technical director Ralph Moonen, the pair said: "Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint."

Tervoort and Moonen said the issue was caused by a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords.

"This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf," they wrote.

Commenting on the flaw, Scott Caveza, research engineering manager at security shop Tenable, said: "Shortly after the blog post from Secura was published, detailing the impact and technical information about Zerologon, multiple proof-of-concept scripts emerged.

"In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we're now seeing play out.

"Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we're seeing attacks in the wild. Administrators should prioritise patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and [will be] integrated into malicious campaigns.

"Several samples of malicious .NET executables with the filename 'SharpZeroLogon.exe' have been uploaded to VirusTotal. Microsoft Security Intelligence has shared sample SHA-256 hashes to aid defenders in investigating any exploited systems."


Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.

CLICK HERE!

WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments