Microsoft is tracking threat actor activity using the CVE-2020–1472 Netlogon EoP vulnerability exploit called Zerologon. They have seen attacks where public vulnerabilities have been inserted into attackers playbooks. According to security industry analysts, the attacks were supposed to take place. Zerologon bug also affects Samba file-sharing software, which needs to be modified as well. Microsoft has provided file hashes for the exploits used in the attacks.
In the field of computer security, vulnerabilities are accidental vulnerabilities present in software programs or operating systems. Vulnerabilities can be the product of incorrect machine settings or security and programming errors. If left unaddressed, bugs can build security holes that cybercriminals can exploit. Let’s see active attacks against zerologon vulnerability.
Active attacks against Zerologon vulnerability
Microsoft warned that malicious cyber players are exploiting Zerologon. The details of the Zerologon bug were first revealed by researchers at the Dutch cybersecurity company Secura BV on 14 September’s dangerous vulnerability in Windows Server systems. This could allow an attacker to achieve access to the Active Directory domain controllers of an organization. Since then, numerous proof-of-concept exploits have appeared on the Internet in the downloadable form. Zerologon is a critical enhancement of the privilege bug. They allow an attacker with a foothold on a local network to become a domain administrator instantly. Also, to gain access to the Active Directory domain controllers of the organization.
According to Secura, this vulnerability is due to a flaw in the Netlogon Remote Protocol cryptographic algorithm. It is to authenticate users and machines on Windows domain controllers. Researchers have dubbed the Zerologon bug because it allows attackers with limited access to the vulnerable network. The threat analysis report includes technical details, mitigation, and detection details. It is to empower SecOps to detect and mitigate this threat. Microsoft is yet to provide a patch that support all the systems but two other companies rolled out patches for zerologon vulnerability. 0patch said the micropatch was logically the same as Microsoft’s fix. It was mainly focusing on Windows Server 2008 R2 users without extended security updates. Samba, a file-sharing utility that allows Windows, Linux, and Mac to connect with each other, has also launched its Zerologon patch. The Samba utility uses the Netlogon protocol and is, therefore, too vulnerable.
How to defend against vulnerabilities
Some measures businesses can do to reduce the risk exposure levels by the vulnerability.
- Using virtual local area networks to isolate certain parts of the network. Dedicated physical or virtual network segments may also be using to isolate critical traffic flowing between servers.
- Implement IPsec, an IP protection protocol, to implement encryption and authentication for network traffic.
- Deploy the IPS or the IDS.
- Using network access control to prevent rogue machines from accessing key parts of the business system.
- Keep all devices up-to-date and patched.
- Perform routine vulnerability scanning against enterprise networks and lock any vulnerabilities that might be found.
There is no way to guard against a particular exploit until it happens. Although maintaining a high level of information security, all zero-day vulnerabilities can not be avoided. It can help defeat attacks using zero-day exploits after vulnerabilities have been patched. By using all the above many of these methods and techniques, you can better protect your staff, your records, and your organization.