Microsoft clarified the steps customers should take to make sure that their devices are protected against ongoing attacks using Windows Server Zerologon (CVE-2020-1472) exploits.
The company revised the advisory after customers found Microsoft’s original guidance confusing and were unsure if applying the patch was enough to protect vulnerable Windows Server devices from attacks.
In a step-by-step approach, the updated advisory now explains the exact actions that administrators need to take to make sure that their environments are protected and outages are prevented in the event of an incoming attack designed to exploit servers that would otherwise be vulnerable to Zerologon exploits.
Microsoft outlined the following plan Windows admins need to follow when applying the ‘CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability’ security update issued as part of the August 2020 Patch Tuesday:
UPDATE your Domain Controllers with an update released August 11, 2020 or later. FIND which devices are making vulnerable connections by monitoring event logs. ADDRESS non-compliant devices making vulnerable connections. ENABLE enforcement mode to address CVE-2020-1472 in your environment.
The Zerologon vulnerability
CVE-2020-1472 is a critical 10/10 rated security flaw was dubbed Zerologon by cybersecurity firm Secura and, when exploited, it enables attackers to elevate privileges to a domain administrator.
This makes it possible for them to take control over the domain, allowing them to change any user’s password and execute any command they want.
As the security update issued by Microsoft in August can also cause some of the affected devices to experience authentication issues, Microsoft is rolling out the Zerologon fix in two stages.
The first one was released on August 11 as a security update that will block Windows Active Directory Domain controllers from using unsecured RPC communication.
It will also log auth requests from non-Windows devices that don’t use secure RPC channels to allow admins time to fix the devices or replace them with ones that come with support for secure RPC.
Starting February 9, 2021, as part of that month’s Patch Tuesday updates, Microsoft will then release another update that will enable enforcement mode which requires all network devices to use secure-RPC, unless specifically allowed by admins.
We have updated the KB article for CVE-2020-1472 to provide clarity on customers actions to ensure they are protected. See details here: https://t.co/l4MwY9DFvt — Security Response (@msftsecresponse) September 28, 2020
Ongoing Zerologon attacks
Last week, Microsoft warned admins to urgently apply security updates for Zerologon after discovering threat actors actively using CVE-2020-1472 exploits during attacks.
“We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft explained.
Microsoft Senior Threat Intelligence Analyst Kevin Beaumont confirmed that attacks started September 26th, with attackers successfully exploiting a vulnerable Active Directory server honeypot using a Zerologon exploit over the Internet.
“At 11:16 am UTC today (26th September 2020) somebody sent hundreds of login attempts matching the exploit chain, and then attempted to reset the domain computer password to blank (successfully, too),” Beaumont said. “This broke the domain controller for authentication.”
Yesterday, Cisco Talos security researchers also warned of “a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon.”