Security News > 2020 > September > Zerologon Attacks Against Microsoft DCs Snowball in a Week
A spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, known as the Zerologon bug, continues to plague businesses.
Microsoft announced last week that it had started observing active exploitation in the wild: "We have observed attacks where public exploits have been incorporated into attacker playbooks," the firm tweeted on Wednesday.
A successful exploit allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft.
The initial patch for the vulnerability was issued as part of the computing giant's August 11 Patch Tuesday security updates, which addresses the security issue in Active Directory domains and trusts, as well as Windows devices.
To fully mitigate the security issue for third-party devices, users will need to not only update their domain controllers, but also enable "Enforcement mode." They should also monitor event logs to find out which devices are making vulnerable connections and address non-compliant devices, according to Microsoft.
News URL
https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/
Related news
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Microsoft issues 117 patches – some for flaws already under attack (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-08-17 | CVE-2020-1472 | Use of Insufficiently Random Values vulnerability in multiple products An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). | 5.5 |