'ZeroLogon' hackers scan for unpatched servers

Unknown attackers are scanning the internet and attempting to exploit the "ZeroLogon" privilege escalation bug in Microsoft's Netlogon Remote Control Protocol for Domain Controllers, which has a full 10.0 out of 10 severity rating on the Common Vulnerability Scoring System (CVSS).

Microsoft security researcher Kevin Beaumont noted over the weekend that someone had sent hundreds of login attempts that match the exploit chain for ZeroLogon.

The unauthenticated attacker also succeeded in resetting Beaumont's domain controller honeypot computer password to blank.

Beaumont's "BluePot" is an Active Directory server with ports 135 and 445 listening for connections, and with remote procedure call ports available.

if anybody wants to know what the network traffic for this looked like - initial connection on 445/TCP (most likely SMB fingerprinting for NetBIOS name), then lots of port 135/TCP, with also high port numbers (MSRPC). pic.twitter.com/cmb7BjL9Am

— Kevin Beaumont (@GossiTheDog) September 26, 2020

The honeypot is updated with the security patches for July 2020 and is built on Microsoft's Azure Sentinel security incident events management tool.

"So, this is an escalation in the threat landscape. Somebody is owning unpatched internet connected Active Directory servers. There’s a few," Beaumont warned.

Microsoft is addressing the flaw in two stages, first with patches that were issued in August this year, and second by tightening up NRP security by February 2021 when enforcement mode will be set to on by default.

The open source Samba system messaging block file server can be used as a domain controller for Windows networks, and is also susceptible to the CVE-2020-1472 ZeroLogon vulnerability.

Samba versions 4.8 and above are only vulnerable if they have the "server schannel" parameter set to either "no" or "auto"; however, versions 4.7 and below are vulnerable unless they have "server schannel = yes" in the smb.conf configuration file, and vendors are advised to add that setting.

A week ago, the United States Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring government agencies to update all domain controllers with the August 2020 patch from Microsoft.