Lucene search

K
krebsBrianKrebsKREBS:952ACEBFD55EBD076910C6B233491883
HistorySep 24, 2020 - 5:00 p.m.

Microsoft: Attackers Exploiting ‘ZeroLogon’ Windows Flaw

2020-09-2417:00:51
BrianKrebs
krebsonsecurity.com
78

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Microsoft warned on Wednesday that malicious hackers are exploiting a particularly dangerous flaw inWindows Serversystems that could be used to give attackers the keys to the kingdom inside a vulnerable corporate network. Microsoft's warning comes just days after theU.S. Department of Homeland Security issued an emergency directive instructing all federal agencies to patch the vulnerability by Sept. 21 at the latest.

DHS's Cybersecurity and Infrastructure Agency (CISA) said in the directive that it expected imminent exploitation of the flaw – CVE-2020-1472 and dubbed "ZeroLogon" – because exploit code which can be used to take advantage of it was circulating online.

Last night, Microsoft's Security Intelligence unit tweeted that the company is "tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability."

"We have observed attacks where public exploits have been incorporated into attacker playbooks," Microsoft said. "We strongly recommend customers to immediately apply security updates."

Microsoft released a patch for the vulnerability in August, but it is not uncommon for businesses to delay deploying updates for days or weeks while testing to ensure the fixes do not interfere with or disrupt specific applications and software.

CVE-2020-1472 earned Microsoft's most-dire "critical" severity rating, meaning attackers can exploit it with little or no help from users. The flaw is present in most supported versions of Windows Server, from Server 2008 throughServer 2019.

The vulnerability could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

Scott Caveza, research engineering manager at security firm Tenable, said several samples of malicious .NET executables with the filename ‘SharpZeroLogon.exe’ have been uploaded to VirusTotal, a service owned by Google that scans suspicious files against dozens of antivirus products.

"Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we’re seeing attacks in the wild," Caveza said. "Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns."

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Related for KREBS:952ACEBFD55EBD076910C6B233491883