The attempted compromises, which could allow full control over Active Directory identity services, are flying thick and fast just a week after active exploits of CVE-2020-1472 were first flagged.
A spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, known as the Zerologon bug, continues to plague businesses.
That’s according to researchers from Cisco Talos, who warned that cybercriminals are redoubling their efforts to trigger the elevation-of-privilege bug in the Netlogon Remote Protocol, which was addressed in the August Microsoft Patch Tuesday report. Microsoft announced last week that it had started observing active exploitation in the wild: “We have observed attacks where public exploits have been incorporated into attacker playbooks,” the firm tweeted on Wednesday.
Now, the volume of those attacks is ramping up, according to Cisco Talos, and the stakes are high. Netlogon, available on Windows domain controllers, is used for various tasks related to user- and machine-authentication. A successful exploit allows an unauthenticated attacker with network access to a domain controller (DC) to completely compromise all Active Directory identity services, according to Microsoft.
“This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials,” added Cisco Talos, in a writeup on Monday. “The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality.”
Four proof-of-concept (PoC) exploits were recently released for the issue, which is a critical flaw rating 10 out of 10 on the CvSS severity scale. That prompted the U.S. Cybersecurity and Infrastructure Security Agency (PDF) issued a dire warning that the “vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.” It also mandated that federal agencies patch their Windows Servers against Zerologon, in a rare emergency directive issued by the Secretary of Homeland Security.
hacks vulnerabilities web security active attacks active exploitation attacks cisco talos cve-2020-1472 domain controllers in the wild microsoft privilege elevation snowballing two-phase patch zerologon
Cybercriminals are chaining Microsoft's Zerologon flaw with other exploits in order to infiltrate government systems, putting election systems at risk, a new CISA and FBI advisory warns.
Admins should patch their Citrix ADC and Gateway installs immediately.
The majority of the bugs in Cisco’s Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) software can enable denial of service (DoS) on affected devices.
Cisco fixes high-security flaws with IP Cameras, Webex Teams, and Identity Services Engine let attackers execute remotely on an affected device. Along with this Cisco also fixes eleven medium-severity vulnerabilities in various Cisco devices.
One of the two zero-day bugs is rated ‘critical’ and is classified as a remote code-execution bug impacting Microsoft’s Internet Explorer.