Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft's security intelligence team said this morning.
"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472[1] Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks," the company wrote in a series of tweets.
The attacks were expected to happen, according to security industry experts.
Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV[2].
The first proof-of-concept exploit[3] was published hours after the explanatory blog post, confirming Secura's analysis that the Zerologon bug is easy to exploit, even by low-skilled threat actors.
A more in-depth explanation of the Zerologon bug is available in our initial coverage of the vulnerability[4], but, to simplify it, the Zerologon bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. Exploiting the Zerologon bug can allow hackers to take over the domain controller, and inherently a company's internal network.
Zerologon was described by many as the most dangerous bug revealed this year. Over the weekend, the DHS gave federal agencies three days[5] to patch domain controllers or disconnect them from federal networks.
In an alert on Monday, CISA said the Zerologon bug also impacts the Samba file-sharing software[6], which also needs to be updated.
While Microsoft has not released details about the attacks, it