Zerologon Attacks Against Microsoft DCs Snowball in a Week
Last week, the first active exploits of the Microsoft Zerologon vulnerability (CVE-2020-1472) were flagged. Now, just over a week later, threat actors are leveraging the bug to attempt to take over Active Directory identity services as security researchers observe a massive spike in the bug’s exploitation attempts. Researchers at Cisco Talos initially warned of cybercriminals using the elevation-of-privilege bug in the Netlogon Remote Protocol. The vulnerability was then addressed in the Microsoft Patch Tuesday report, with Microsoft admitting that it had observed exploitation in the wild.
According to Cisco Talos, the volume of attacks utilizing the vulnerability has been rapidly increasing over the past few days. Netlogon is available on Windows domain controllers, and a successful exploit of the flaw allows attackers to obtain network access to a domain controller, then having the ability to compromise all Active Directory identity services. The vulnerability has a severity rating of 10 out of 10 on the CvSS scale. The Cybersecurity and Infrastructure Security Agency released a warning regarding the vulnerability, stating that it poses an unacceptable risk to civilians and requires immediate action, mandating that federal agencies patch their servers against Zerologon.