Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said this morning.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” the company wrote in a series of tweets.
The attacks were expected to happen, according to security industry experts.
Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.
The first proof-of-concept exploit was published hours after the explanatory blog post, confirming Secura’s analysis that the Zerologon bug is easy to exploit, even by low-skilled threat actors.
A more in-depth explanation of the Zerologon bug is available in our initial coverage of the vulnerability, but, to simplify it, the Zerologon bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. Exploiting the Zerologon bug can allow hackers to take over the domain controller, and inherently a company’s internal network.
Zerologon was described by many as the most dangerous bug revealed this year. Over the weekend, the DHS gave federal agencies three days to patch domain controllers or disconnect them from federal networks.
In an alert on Monday, CISA said the Zerologon bug also impacts the Samba file-sharing software, which also needs to be updated.
While Microsoft has not released details about the attacks, it did release file hashes for the exploits used in the attacks.
As several security experts have recommended since Microsoft revealed the attacks, companies that have their domain controller exposed on the internet should take systems offline to patch them.
These internet-reachable servers are particularly vulnerable as attacks can be mounted directly, without the hacker first needing a foothold on internal systems.