November 26, 2020

Microsoft has detected continuous attacks using Windows Zerologon vulnerability

2 min read

Microsoft announced information about the Windows Zerologon vulnerability in August. Of course, when the vulnerability was announced, security updates have also been released to block the vulnerability.

This vulnerability received a CVSSv3 score of 10.0, which is extremely harmful, especially for large enterprises that use domain control technology.

Attackers can use this vulnerability to elevate their authority to the administrator level, and then use the administrator’s authority to reset the password of any computer in the domain or execute any command.

Earlier, the US Cybersecurity and Infrastructure Security Agency issued an early warning to remind government departments and enterprises that they must take immediate measures to fix this vulnerability.

Dutch police decrypted IronChat

The Microsoft security team recently issued a warning that threat actors are currently actively exploiting this vulnerability, and systems that have not repaired the vulnerability are vulnerable to attackers.

Microsoft said the company has received reports from customers and industry professionals, mainly related to ongoing activities using Windows Zerologon vulnerabilities.

On the Windows Server server operating system where the vulnerability is not fixed, an attacker can use a spoofed domain control account to steal credentials and take over the entire domain.

The vice president of the Microsoft Security Response Center said that we strongly recommend that customers who have not fixed the vulnerability take measures to ensure that they can be fully protected against this vulnerability.

This vulnerability mainly affects enterprises that use domain control technology. The affected systems include Windows Server 2008 R2 – Server 2019 V2004.

Microsoft began to provide a fix for this vulnerability from August 11th. Users need to install the cumulative update of 202008, which can block the vulnerability.

At the same time, Microsoft will strengthen the detection of such attacks in devices and domain controllers, but if users do not install cumulative updates, they will still be affected by the vulnerability.

Microsoft will force all devices using domain control technology to install updates in the Q1 quarter of 2021. If the updates are not installed to fix vulnerabilities, the devices will become inaccessible.