Content

Microsoft already seeing exploit of Zerologon in the wild

Share
Microsoft announced that it detected Zerologin being used in the wild. (Photo by Smith Collection/Gado/Getty Images)
Microsoft announced that it is seeing exploit of Zerologin being used in the wild. (Photo by Smith Collection/Gado/Getty Images)

Two days after bug hunters and threat intelligence analysts sounded the alarm over Zerologon, Microsoft said hacking groups are using the privilege escalation vulnerability against Windows server operating systems in the wild.

Analysts warned Tuesday that the exploit would likely show up in open source hacking tools and be used in attacks.

“Microsoft is actively tracking threat actor activity using exploits for [Zerologon]. We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft’s Security Intelligence branch announced Sept. 23 on Twitter while also publishing a related sample Indicator of Compromise.

SC Media has reached out to Microsoft for more details and will update this piece with any response.

While security practitioners are often inundated with bugs that need patching or fixing, there was reason to prioritize this particular weakness. Apart from being rated “critical,” multiple firms – including Secura, which first identified the vulnerability – have already developed proof of concept code. Security researchers were also able to easily add it to existing open source hacking tools and make modifications that made it cheaper and easier for malicious hackers to use against companies.

Civilian federal agencies were ordered to immediately patch their systems due to the public availability of the malicious code, the prevalence of such domain controllers across federal agencies (not to mention the private sector), the “high potential for compromise” and the “the grave impact of a successful compromise.”

All the analysis pointed to the same advice to security practitioners: don’t waste a lot of time trying to detect this flaw. Patch everything and patch it now.

“Due to the availability of exploit code and the high impact of successful exploitation, real world attacks are expected in the immediate future,” security firm eSentire warned its customers this week. “Successful exploitation could lead to elevated privileges (such as domain administrator), making this exploit highly valuable for adversaries with a foothold inside of networks.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.