Zero logon exploits in Microsoft : fixed
This vulnerability has been named 'Zerologon' by cybersecurity firm Secura, and when exploited, allows attackers to elevate their privileges to a domain administrator and take control over a domain.
Soon after Secura's writeup on how they discovered the vulnerability, researchers quickly released proof-of-concept exploits demonstrating how this vulnerability could be exploited.
Microsoft warns of active Zerologon attacks
In a series of Tweets tonight, Microsoft is warning that Zerologon exploits are actively being used in attacks and that admins should install the necessary security updates immediately.
"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks."
"Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat."
"We'll continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat & vulnerability management data to see patching status," Microsoft tweeted tonight.
Included in these tweets are three samples that Microsoft states were used in the attacks to exploit the ZeroLogon CVE-2020-1472 Netlogon elevation of privilege vulnerability.
The samples are .NET executables with the filename 'SharpZeroLogon.exe' and can be found on VirusTotal.
Comments
Post a Comment