Tech giant & US feds last week renewed their urge to organisations to update Active Directory domain controllers.
Threat attackers continue to exploit the Microsoft Zerologon vulnerability, a situation that has been a persistent worry to both the company & the US Govt. over the last few months. Both last Thurs. renewed their pleas to businesses & end users to update Windows systems with a patch Microsoft released in Aug. to mitigate attacks.
Despite patching awareness efforts, Microsoft said it is still receiving “a small number of reports from customers & others” about active exploits of the bug tracked as CVE-2020-1472, or Zerologon, according to a blog post by Aanchal Gupta, VP of Engineering for MSRC, last Thurs.
The zero-day elevation-of-privilege vulnerability—rated as critical & 1st disclosed & patched on Aug. 11–could let an attacker to spoof a domain controller account & then use it to steal domain credentials, take over the domain & completely compromise all Active Directory identity services.
The bug is located in a core authentication component of Active Directory within the Windows Server OS & the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).
The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user & machine authentication.
Gupta asked organisations to deploy the Aug.11 patch or later release to every domain controller as the 1st in a 4-step process to fix the vulnerability. Then administrators should monitor event logs to find which devices are making vulnerable connections; address identified non-compliant devices; & enable enforcement to address the bug in the overall environment, he observed.
“Once fully deployed, Active Directory domain controller & trust accounts will be protected alongside Windows domain-joined machine accounts,” he commented.
In addition to Microsoft’s patches, in Sept. both Samba & 0patch also issued fixes for CVE-2020-1472 to fill in the some of the gaps that the official patch doesn’t address, such as end-of-life versions of Windows.
Microsoft’s latest advisory was enough for the US Department of Homeland Security’s (DHS’s) Cybersecurity & Infrastructure Security Agency (CISA) to step in & issue a statement of its own Thurs. warning organisations about continued exploit of the bug.
Given the severity of the vulnerability, the govt. has been nearly as active as Microsoft in urging people to update their systems. Interest from the feds likely has intensified since Microsoft’s warning earlier this month that an Iranian nation-state advanced persistent threat (APT) actor that Microsoft calls MERCURY (also known as MuddyWater, Static Kitten & Seedworm) is now actively exploiting Zerologon.
“CISA urges administrators to patch all domain controllers immediately, until every domain controller is updated, the entire infrastructure remains vulnerable, as threat players can identify & exploit a vulnerable system in minutes,” according to the CISA alert.
The agency has released a patch validation script to detect unpatched Microsoft domain controllers to help administers install the update. “If there is an observation of CVE-2020-1472
Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber-actors have compromised all identity services,” the CISA warned.
Zerologon has been an on-going problem for Microsoft’s since its discovery, a situation that has grown since early Sept. thanks mainly to the publication of 4 proof-of-concept exploits for the flaw on Github.
Soon after the exploits were published, Cisco Talos researchers warned of an increase in exploitation attempts against Zerologon.
The US Govt. 1st urged organisations to update after the publication of the exploits, with the DHS issuing a rare emergency directive that ordered federal agencies to patch their Windows Servers against the flaw by Sept. 21.