ZeroLogon vulnerability being actively exploited

Microsoft has revealed it has discovered threat actors using exploits from the ZeroLogon Netlogon elevation of privilege (EoP) vulnerability in Windows Server disclosed last month.

The vulnerability, which was patched during last month’s Patch Tuesday, can also potentially be exploited to enable initial access into a network if a domain controller is internet exposed, the Australian Cyber Security Centre (ACSC) has warned in an advisory.

Proof of concept code to exploit the vulnerability has been made freely available online and integrated into common exploit frameworks and tools, the advisory states.

The ACSC is urging organisations to apply Microsoft’s fix for the vulnerability immediately. Where this cannot be achieved, the ACSC recommends organisations implement additional mitigations to prevent the threat of immediate exploitation.

These include ensuring logging is enabled for events including an account successfully logging on or a computer account being changed. Events that list the security ID and account name fields as “anonymous login” and account domains as “NT authority” must be immediately assessed. But some legitimate legacy devices may use the functionality.

Even if a system is patched, organisations should log events related to insecure connection attempts, whether they have been denied or have been successful.

Organisations at greater risk of exploit have meanwhile been urged to implement additional “defence-in-depth” measures to ensure protection against exploitation, such as ensuring all administrative access protocols, ports and Domain Controller access is not available externally.

Most recent firewall products will also be able to perform Deep Packet Inspection to detect network traffic that is attempting to exploit the vulnerability, the ACSC said.

Tenable research engineering manager Scott Caveza said proof of concept scripts exploiting the vulnerability started to emerge hours after security company Secura published a detailed technical breakdown of the vulnerability.

“In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we’re now seeing play out,” he said.

“Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we’re seeing attacks in the wild. Administrators should prioritise patching this flaw as soon as possible.”

Image credit: ©stock.adobe.com/au/Mila Gligoric