Over the last two months, we have been documenting Zerologon (CVE-2020-1472) , a hugely dangerous Windows flaw that Microsoft and security firms have been trying to stamp out. Now, Microsoft is warning Windows 10 users it has “a small number of reports” about attacks exploiting the vulnerability.
In an alert on Thursday, the company says bad actors are targeting the flaw in Netlogon Remote Protocol. This is a Windows process that authenticates users against domain controllers. We have previously reported how Zerologon could exploit a vulnerability in Netlogon and start an elevation of privilege attack.
As we reported initially, Microsoft has already sent out a patch for the flaw. This patch was supplemented a week later by two third-party patches. 0patch issued a fix saying Microsoft’s does not work on all systems. File sharing utility Samba sent out a patch for its own service.
However, earlier this month Microsoft confirmed it has seen exploits for the vulnerability in the wild. It is worth remembering, the company rates this flaw 10/10 in terms of severity. Microsoft and security experts agree it has the potential to be one of the most dangerous Windows vulnerabilities ever.
It is also notable for working quickly, something that makes even more problematic. In fact, Zerologon can infiltrate an enterprise system in three seconds or less. Attackers could also use it to change passwords and relatively easily take over a whole organization’s network.
In an update to its support document, Microsoft says admins should download the patch for Domain Controllers. They should also continue to monitor logs to keep check on devices connecting to servers.
Microsoft says the vulnerability could be leveraged to influence the upcoming US election.
“We contacted CISA, which has issued an additional alert to remind state and local agencies, including those involved in the US elections, about applying steps necessary to address this vulnerability,” Microsoft says.