Microsoft is warning of threat actors that are actively using the Windows Server Zerologon exploits in attacks in the wild.

Microsoft has published a series of Tweets to warn of attackers that are actively exploiting the Windows Server Zerologon in attacks in the wild. The IT giant is urging Windows administrators to install the released security updates as soon as possible.

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
We’ll continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat & vulnerability management data to see patching status. pic.twitter.com/XTGgAHcw9S— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020Microsoft also shared sample exploits IoCs [1, 2, 3], which are .NET executables with the filename ‘SharpZeroLogon.exe.’  

Sample exploit IOCs (SHA-256): b9088bea916e1d2137805edeb0b6a549f876746999fbb1b4890fb66288a59f9d, 24d425448e4a09e1e1f8daf56a1d893791347d029a7ba32ed8c43e88a2d06439, c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020The CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

Administrators of enterprise Windows Servers have to install the August 2020 Patch Tuesday to mitigate “unacceptable risk” posed by the flaw to federal networks.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

The only limitation on how to carry out a Zerologon attack is that the attacker must have access to the target network.

The flaw was discovered by researchers from the security firm Secura that also published technical details of the issue along with proof-of-concept exploits.

Researchers from BleepingComputer analyzed one of the samples and discovered that the exploit changes the NTLM hash of the domain controller to “31d6cfe0d16ae931b73c59d7e0c089c0”, which is an empty password.

Secura researchers also released a Python script that uses the Impacket library to test vulnerability for the Zerologon exploit, it could be used by admins to determine if their domain controller is still vulnerable.

Don’t waste time, patch your system now!

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ZeroLogon)

The post Hackers are using Zerologon exploits in attacks in the wild appeared first on Security Affairs.