A few weeks ago we saw what the Zerologon vulnerability was about , a new problem that affects Windows systems. Hackers take advantage of this security flaw to attack victims’ computers. Luckily, Microsoft released patches to correct this problem and thus prevent hackers from having a free bar. Now, the problem nowadays is that many users have not yet updated their equipment and Microsoft is warning of attacks that are taking advantage of this vulnerability.
Microsoft alerts of attacks using Zerologon
The software giant has warned that cybercriminals are taking advantage of the Zerologon privilege escalation vulnerability in the Netlogon Remote Protocol (MS-NRPC), which was registered as CVE-2020-1472. They have received different reports that prove it.
This vulnerability that we mentioned was fixed last August , as we know. They released patches to protect computers and thus prevent these types of attacks. However, not all users have correctly installed security updates and are therefore not protected.
On Windows Server devices where the vulnerability has not been patched, attackers can spoof a domain controller account to steal credentials and take over the entire domain in the event of a successful exploit.
Microsoft indicates that they strongly recommend anyone who has not applied the update to take this step now. Customers should apply the update and follow the steps and tips as described in KB4557222 to ensure that they are fully protected from this vulnerability.
As we know, Zerologon is a critical vulnerability that allows attackers to elevate privileges to a domain administrator, allowing them to take full control of the entire domain, change any user’s password, and execute any arbitrary command.
Microsoft upgrade plan
Microsoft created an update plan for all administrators to apply correctly and thus avoid this vulnerability. This plan includes a series of actions that we are going to show.
The first thing is to update the domain controllers . This is something that is possible to do since August 11, 2020, with an update that was published. However, as we have mentioned, many administrators have not yet applied it.
Later it must also be found which devices have vulnerable connections by tracking the event logs.
The third action included in Microsoft’s plan is to target unsupported devices that have vulnerable connections.
Lastly, the fourth action is to enable execution mode to address CVE-2020-1472 in the environment.
In short, Microsoft has issued a warning that attacks are coming that take advantage of the Zerologon vulnerability . This is not the first time this has happened, since last September they also indicated that hackers were carrying out attacks taking advantage of this uncorrected security flaw.
From this article, as we always do, we recommend updating systems to the latest versions and thus avoid security problems that may affect us. It is essential that we apply this to any type of operating system or device that we are using.
