Microsoft says hackers are still exploiting the Zerogon vulnerability (CVE-2020-1472) in netlogon remote protocols to break into computers that do not have security updates installed. Although Microsoft introduced a series of security updates in August to address the vulnerability, many users, especially business users, have not updated their Windows server devices, leaving them exposed to elevated privilege attacks.
In the face of systems that do not have security updates installed, an attacker could exploit the Zerologon vulnerability to trick domain accounts and steal sensitive information about domain names or even take control of the entire domain.
In an official blog post, Anachal Gupta, microsoft’s vice president of engineering at the Security Response Center, called on users who have not yet updated to install the August security update as soon as possible:
“For any domain controller, installing a security update on or after August 11, 2020 is a critical first step in addressing this vulnerability. After the installation is complete, the Active Directory domain controller and trusted account will be protected along with the Windows domain account. Therefore, we strongly recommend that any users who are not updated install the security update as soon as possible. Customers need to follow KB4557222 guidelines after installing the update to ensure that the system is best protected. “
Because some of the devices affected by the Zerologon vulnerability have validation issues, Microsoft is also in two phases to introduce measures to fix the vulnerability, but also updated the original vulnerability file FAQ to more clearly answer the user’s questions.
If the user’s system is using Microsoft Defender for Identity’s Microsoft 365 Defender, the system can also notify the user immediately in the event of a Zerogon vulnerability.