Microsoft has issued a warning that hackers are exploiting a Windows Server system vulnerability that provides access to an organisation's active directory domain controller.
The tech giant said it was actively tracking hackers using the 'Zerologon' bug, which it said had been incorporated into attacker playbooks.
Zerologon has appeared in downloadable forms on the internet since it was first spotted by Dutch security firm Secura on 14 September. It is an exploit of Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. With it, hackers can take over the domain controller and, in turn, a company's internal network.
The warning comes just days after the US Cybersecurity and Infrastructure Security Agency (CISA) issued a directive, urging government agencies to immediately apply the Windows Server August 2020 security update to all domain controllers by 21 September.
CISA said that the bug poses "an unacceptable risk" and requires "immediate action", rating it the highest possible score of 10.0 on the CVSS scale of severity.
"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon," the tech giant warned in a tweet. "We have observed attacks where public exploits have been incorporated into attacker playbooks.
RELATED RESOURCE
Finding the right ADC to manage hybrid application delivery
A guide to ADC for IT and DevOps applications
"Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat."
Researchers have dubbed the vulnerability Zerologon as it allows hackers with minimal access to a network to login to its Active Directory simply by sending a string of zeros in messages that use the Netlogon protocol.
It's said to affect Windows Server versions from 2008 up to 2019.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
