Microsoft has warned Windows 10 customers that it has received "a small number of reports" about attacks on its Netlogon protocol, which it patched in August.
The Windows maker issued another alert on Thursday[1] following its warning in September that attackers were exploiting the elevation of privilege vulnerability affecting the Netlogon Remote Protocol (MS-NRPC[2]).
It's a protocol used by admins for authenticating Windows Server as a domain controller. The flaw it contained was serious enough for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to order US government agencies to apply Microsoft's patch for the bug – tracked as CVE-2020-1472 but also called Zerologon[3] – within three days of its release in the August Patch Tuesday update.
SEE: Security Awareness and Training policy[4] (TechRepublic Premium)
Defensive security researchers found that the bug was easy to exploit, making it a prime target for more opportunistic attackers. But when Microsoft released the patch on Tuesday, August 11, some system admins were not aware of its severity.
Attackers could exploit the flaw to run malware on a device on the network after spoofing Active Directory domain controller accounts. As a weapon, it had the added bonus of publicly available proof-of-concept Zerologon exploits soon after Microsoft released its patch.
CISA warned agencies to patch the flaw swiftly because Windows Server domain controllers are widely used in US government networks, and the bug had a rare severity rating of 10 out of 10. It prompted CISA to direct agencies to apply the patch on the same week as Microsoft's August 11 patch was released.
Microsoft has updated its support document for the bug[5] to provide further clarity. It recommends that admins update Domain Controllers with the