Sergey Nivens -

Microsoft detects Netlogon vulnerability exploitation in the wild

While Microsoft released a patch last month for the Netlogon flaw, the company said it detected threat actors using exploits for the critical vulnerability.

Threat actors are actively exploiting a critical Netlogon vulnerability disclosed and patched by Microsoft last month.

Dubbed "Zerologon" and identified as CVE-2020-1472, the flaw was rated the maximum CVSS severity of 10. Exploitation allows hackers to essentially become a domain administrator and gain access to enterprise networks. It affects supported Windows Server OSes, including Windows Server 2008 and 2008 R2 for ESU customers.

In the security update last month, Microsoft said it was using a "phased two-part rollout" to patch the bug. The first part of the deployment was executed in the August Patch Tuesday security update. The second phase is planned for the first quarter of 2021.

One month after disclosing the Netlogon vulnerability in its August Patch Tuesday, Microsoft has confirmed sightings of exploitation in the wild.

Microsoft Security Intelligence posted the update to Twitter on Wednesday, writing, "Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks." 

Earlier this month, infosec consultancy Secura, which found the flaw, published full details and the severity of exploitation. Microsoft asked Secura to wait three to four weeks before publishing to give time to patch, said Ralph Moonen, technical director at Secura.

"The vulnerability stems from a flaw in the cryptographic authentication scheme used by the Netlogon Remote protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself and execute remote procedure calls on their behalf," Tom Tervoort, senior security specialist, and Moonen, wrote in the blog post.

Shortly after the blog post from Secura was published, multiple proof-of-concept exploits emerged on the internet, according to Scott Caveza, research engineering manager at Tenable.

"In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we're now seeing play out," he said in an email to SearchSecurity.

Understanding the high risk, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive for agencies with a list of required actions. The CISA directive applied only to Windows servers with the Active Directory domain controller role and required those agencies to apply Microsoft's August security update by 11:59 pm on Monday, Sept 21.

Moonen said users often do not update even when the vulnerability is severe.

"We know that some of our customers have lived for many decades with the idea that patches often break stuff and that therefore you should wait," he said. "IT auditors seem to be happy to accept a 6-month patch window, and while in the '90s and early '00s that was fine, now it is not. The fact that DHS issued an emergency directive is evidence that also within government institutions this old-fashioned idea about patching is still embraced."

Based on the rapid speed of exploitation already, Caveza says Tenable anticipates this flaw will be a popular choice among attackers and integrated into malicious campaigns.

"Several samples of malicious .NET executables with the filename 'SharpZeroLogon.exe' have been uploaded to VirusTotal. Microsoft Security Intelligence has shared sample SHA-256 hashes to aid defenders in investigating any exploited systems," he said.

Like CISA and Microsoft, Caveza said administrators should prioritize patching this flaw as soon as possible.

SearchSecurity reached out to Microsoft for comment about the threat activity, but the company declined to provide additional details.

"A security update was released in August 2020. Customers who apply the update, or have automatic updates enabled, will be protected," a Microsoft spokesperson said.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing