- Homeland Security issued a rare warning about a Windows Server vulnerability that would give attackers complete control of every computer on a network.
- The CISA warning said at the time that it assumes active exploitation is occurring in the wild, advising everyone to apply the August patch that Microsoft release.
- Microsoft on Thursday noted that it has already observed attacks that incorporate the new Windows flaw.
Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency alert last week, over what appears to be one of the worst Windows flaws in recent history. Security researchers have identified a vulnerability so severe that it received a maximum severity score (10.0), prompting the agency to advise all governmental agencies to update their computers using Microsoft’s first patch for the issue that was launched a few weeks ago. The issue is so severe that a second update will be released early next year to further deal with the matter.
When CISA released the warning, it advised everyone to “go get patching,” including governmental agencies, state and local governments, private companies, and the general public. It also said at the time that it assumed that “active exploitation of this vulnerability is occurring in the wild.” Microsoft has since confirmed those assumptions, indicating that it found evidence of hackers taking advantage of the Zerologon vulnerability.
Zerologon is very dangerous because it allows malicious individuals to take over computers on a network without stealing any credentials beforehand. The attack involves forging an authentication token for a Netlogon functionality, which then opens doors to everything.
A flaw in a cryptographic authentication scheme makes it all possible. After access is granted to the network, the attackers could infect computers with additional malware and extract data from those computers.
Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
Microsoft tweeted an updated on the matter on Thursday, saying that it is “is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon.” The company said that it observed “attacks where public exploits have been incorporated into attacker playbooks,” without detailing any security incidents.
Despite the warning from CISA, not everyone may have patched their network, which explains why some hackers might already be exploiting the attack. The flaw affects most supported versions of Windows Server, KrebsOnSecurity explains. That includes Server 2008 through Server 2019.
Most Windows users would not even have to deal with the patch themselves. Still, they could be directly impacted if the governmental agency or company they worked at is targeted via a Zerologon attack before admins patch the network.
Microsoft might not be the only company to have observed malicious activity involving the new exploit. Tenable research engineering manager Scott Caveza said that samples of .NET executables called “SharpZeroLogon.exe” had been uploaded to VirusTotal, a Google service that scans suspicious files against antivirus programs.