Microsoft warns again of Windows Zerologon attacks

Microsoft warned once again today that hackers continue to exploit systems that are not protected against the ZeroLogon vulnerability in the Netlogon Remote Protocol (MS-NRPC).

On Windows Server devices where vulnerability has not yet been fixed, intruders can forge a domain controller account to steal credentials and take over the entire domain after a successful intrusion.

"We warmly encourage those who have not installed the update to take this step now. Customers must install the update and follow the initial guidance as described in KB4557222 to ensure that they are fully protected from this vulnerability ", Gupta added.

Reminder to all our Windows customers to deploy at least the August 2020 update or later and follow the original, published guidance to fully resolve the vulnerability, CVE-2020-1472. For further information, see our blog post: https://t.co/br77bEP0mu

- Security Response (@msftsecresponse) October 29, 2020

The Zerologon is a critical vulnerability which allows intruders to upgrade permissions on a domain admin, allowing them to take full control of the entire domain, change each user's password, and execute any arbitrary command.

Microsoft is releasing the Zerologon fix in two stages, as it may cause various authentication issues on some of the affected devices.

Because the initial Zerologon patch documentation was confusing, Microsoft outlined steps for administrators to protect devices from attacks using Zerologon exploits.

The update program mentioned by Microsoft includes the following steps:

INFORMATION of Domain Controllers (domain controllers) with an update released on August 11, 2020 or later.
FIND which devices make vulnerable connections by monitoring event logs.
FIND THE ADDRESS on incompatible devices that make vulnerable connections.
ACTIVATE the enforcement function to deal with it CVE-2020-1472 in your environment.