ZeroLogon, the privilege escalation vulnerability in the Netlogon Remote Protocol (MS-NRPC), is still being actively used by hackers against unlatched systems.
Through Aanchal Gupta (MSRC VP of Engineering), in a note today, the company reported that “Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain”.
As a result the company reiterated its action plan in remediating the vulnerability.
Here in full:
Take Action
To protect your environment and prevent outages, you must do the following:
- UPDATE your Domain Controllers with an update released August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
Note Step 1 of installing updates released August 11, 2020 or later will address security issue in CVE-2020-1472 for Active Directory domains and trusts, as well as Windows devices. To fully mitigate the security issue for third-party devices, you will need to complete all the steps.
Warning Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable enforcement mode.
Zerologon has been exploited before
At the beginning of this month, Mercury, an Iranian APT, was spotted actively exploiting the CVE with several campaigns tracked as far back as the beginning of september.
With its attacks appearing to have begun around one week after the proof-of-concept code was published, and around the same time Microsoft began detecting the first Zerologon exploitation attempts.
Also, as bleepingcomputer.com reported, TA505 , a financially-motivated threat group known for distributing the Dridex banking trojan since 2014 and for providing a deployment vector for Clop ransomware in later stages of their attacks, was detected by Microsoft exploiting the ZeroLogon vulnerability earlier this month.