24 September 2020

Hackers exploit Zerologon vulnerability in wild


Hackers exploit Zerologon vulnerability in wild

Threat actors are activly exploiting the Windows Server Zerologon vulnerability in recent attacks. Microsoft strongly recommends all Windows administrators to install the security updates.

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical vulnerability (CVE-2020-1472) in Netlogon. The problem exists due the fact that application does not properly impose security restrictions in Netlogon. A remote non-authenticated attacker can use MS-NRPC to connect to a domain controller to obtain domain administrator access.

"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks. Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat," warned Microsoft.

Microsoft also presented three samples that were used in the attacks to exploit the ZeroLogon vulnerability. The samples are .NET executables with the filename 'SharpZeroLogon.exe'.

Back to the list

Latest Posts

US Cyber Command provides info on malware implants used in attacks against parliaments, embassies

US Cyber Command provides info on malware implants used in attacks against parliaments, embassies

US authorities shared details on the ComRAT malware and the Zebrocy backdoor used by Russia-linked Turla and APT 28 hacker groups.
30 October 2020
Maze ransomware gang prepares for shut down

Maze ransomware gang prepares for shut down

The Maze group had stopped encrypting new victims in September 2020, and is now trying to get the last payments from their victims.
29 October 2020
Iranian hackers targeted “high profile” security conference attendees

Iranian hackers targeted “high profile” security conference attendees

The attacks involved spoofed emails with invitations ostensibly sent from organizers of the Munich Security Conference and the Think 20 Summit in Saudi Arabia.
29 October 2020