Zerologon attack lets hackers take over enterprise networks: Patch now
Last month Microsoft patched one of the most severe bugs ever reported to the company, an issue that could be abused to easily take over Windows Servers running as domain controllers in enterprise networks.
The bug was patched in the August 2020 Patch Tuesday under the identifier of CVE-2020-1472. It was described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers. The vulnerability received the maximum severity rating of 10, but details were never made public, until now. The entire attack is very fast and can last up to three seconds, at most.There are limitations to how a Zerologon attack can be used. For starters, it cannot be used to take over Windows Servers from outside the network. An attacker first needs a foothold inside a network. However, when this condition is met, it's literally game over for the attacked company. Furthermore, this bug is also a boon for malware and ransomware gangs, which often rely on infecting one computer inside a company's network and then spreading to multiple others. With Zerologon, this task has been considerably simplified.
Attacks using Zerologon are a given, primarily due to the bug's severity, wide impact, and benefits for attackers.
Since the release of Secura's writeup, numerous researchers have released proof-of-concept exploits that allow a user to gain domain administrator privileges on a vulnerable network. As fixing the Zerologon vulnerability can cause some devices to not properly authenticate, Microsoft is rolling out the fix in two stages.
The first stage was released on August 11th in the form of a security update that will prevent Windows Active Directory Domain controllers from using unsecured RPC communication. On February 9th, 2021, as part of the Patch Tuesday updates, Microsoft will release a second update that will enter the enforcement phase that requires all devices on the network to use secure-RPC, unless specifically allowed by an administrator.