Microsoft has outlined the steps its customers need to take to ensure that their devices are protected from ongoing attacks using exploits of Windows Server Zerologon (CVE-2020-1472).
The company updated the publication it had issued after its customers found it quite difficult and were not sure whether the application of the updated versions was enough to protect vulnerable Windows Server devices from the attacks.
In a step-by-step approach, the updated publication explains the exact steps administrators should take to make sure their machines are protected in the event of an incoming attacks designed to exploit Zerologon.
Microsoft states the following plan for Windows administrators to follow when implementing the “CVE-2020-1472 | The Netlogon Elevation of Privilege security update Vulnerability which was released as part of Patch Tuesday in August 2020:
The Zerologon vulnerability
CVE-2020-1472 is a critical security vulnerability with a score of 10/10. It was named Zerologon by the security company Secura and when exploited, it allows intruders to increase privileges in an administrator domain.
This makes it very easy for them to take control of the domain, as they can change each user's password and run whatever command they want.
The security update released by Microsoft in August can cause themeauthentication on some of the affected devices, so the company released the Zerologon patch in two stages.
The first was released on August 11 as an update security version which will prevent Windows Active Directory domain controllers from using insecure RPC communication.
It also records authentication requests from non-Windows devices that do not use secure RPC channels to give administrators time to correct errors.
From February 9, 2021, as part of the Patch Tuesday updates, Microsoft will release another update that will enable a enforcement feature that will require all network devices to use secure RPCs, unless expressly permitted by administrators.
We have updated the KB article for CVE-2020-1472 to provide clarity on customer actions to ensure they are protected. See details here: https://t.co/l4MwY9DFvt
- Security Response (@msftsecresponse) September 28, 2020
Ongoing Zerologon attacks
Last week, Microsoft warned administrators to urgently implement security updates for Zerologon after discovering that they are being used during attacks.
Microsoft Threat Intelligence analyst Kevin Beaumont confirmed that the attacks began on September 26, with attackers successfully exploiting a vulnerable honeypot on an Active Directory server using a Zerologon exploit.
Yesterday, security researchers at Cisco Talos also warned of "a sharp increase in vulnerability in Microsoft CVE-2020-1472".