Malicious hackers are now targeting one of the highest-impact Windows vulnerability that was patched this year. 

This vulnerability has been named Zerologon or CVE-2020-1472, and basically, it allows hackers to quickly overrun the Active Directory which is a part of Windows servers that protects all machines connected to a network. Once it gains access, it sends a string of zeros in messages that use the Netglon protocol.

This vulnerability has a score of 10 which is the highest rating in the Common Vulnerability Scoring System. However, this vulnerability barely received any attention and was deemed “less likely” to be exploited back in August when Microsoft patched it.

It got a big spotlight last week with the release of several proofs-of-concept exploits and a very elaborate writeup that accentuated the severity of the vulnerability as well as the relative ease in exploiting it

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon,” Microsoft representatives wrote. “We have observed attacks where public exploits have been incorporated into attacker playbooks.”. 

The company has also provided various digital signatures of files utilized in the attacks but did not provide any additional details to the public. They also published a threat analytics report configured to help administrators evaluate the vulnerability of their networks, however, it’s only available for Office 365 subscribers. Lastly, when they were asked about possibly releasing a copy of the analytics report to outsiders Microsoft did not respond.

It’s very complicated to pinpoint the severity of an exploit that has so much power and can take control of an Active Directory (and the domain controller servers they run on) using several dozen lines of code. This a highly favored resource for hackers and malicious actors. Having access to something like this, with so much control over the central provisioning directory it’s extremely dangerous as they can attack a whole fleet of computers within minutes.

One way that perpetrators begin their malicious attack is by compromising a low-level privilege machine, most likely by deceiving an employee to click on a link or by entering a password on a phishing page. This process can take several weeks, even months before this can escalate to installing malware and executing commands, however, Zerolong provides almost instant access to hackers to an Active Directory.

Lastly, this vulnerability is not just a regular cyberattack, and the cure might be worse than the disease as there is the threat of applying a patch that can break a network’s most sensitive resource. The Department of Homeland Security ordered agencies to either apply the patch no later than Monday night or to withdraw domain controllers from the internet.