Skip to main content

Microsoft warns hackers are still abusing Windows Zerologon bug

Hacker Typing
(Image credit: Shutterstock)

The Zerologon vulnerability present in the Netlogon Remote Protocol is still being actively exploited by attackers who are targeting unpatched systems according to a new blog post from Microsoft.

While the software giant previously addressed the vulnerability in a series of security updates back in August, many organizations have yet to patch their Windows Server devices, leaving them vulnerable to privilege escalation attacks.

On an unpatched system, an attacker could exploit Zerologon to spoof a domain controller account and this could be used to steal domain credentials and even take over the domain.

In a blog post, VP of engineering at the Microsoft Security Response Center (MSRC) Aanchal Gupta urged users to apply the security update from August to protect their systems, saying:

Deploying the August 11, 2020 security update or later release to every domain controller is the most critical first step toward addressing this vulnerability. Once fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts. We strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability.

Protecting devices against Zerologon

Since some of the device affected by Zerologon have experienced authentication issues, Microsoft is rolling out a fix for the bug in two stages. At the same time, the company has updated the FAQs in its original documentation to provide further clarity as some users found it confusing. 

Now Microsoft is telling users to update their domain controllers with the patch released in August, find which devices are making vulnerable connections by monitoring event logs, address non-compliant devices making vulnerable connections and finally to enable enforcement mode to address CVE-2020-1472 in their environment.

Organizations using Microsoft Defender for Identity (previously Azure Advanced Threat Protection) or Microsoft 365 Defender (previously Microsoft Threat Protection) will be able to detect any attackers trying exploit Zerologon against their domain controllers.

Microsoft also contacted the US Cybersecurity and Infrastructure Agency (CISA) which issued its own alert reminding state and local agencies to apply the necessary steps to address this vulnerability.

If your organization is running a Windows Server device, now is the time to patch it to avoid falling victim to any potential attacks exploiting Zerologon.

Via BleepingComputer