A security researcher at Microsoft witnessed hundreds of exploitation attempts against honeypot servers over the weekend that match the exploit chain for “ZeroLogon.” ZeroLogon is a known privilege escalation bug in Microsoft’s Netlogon Remote Control Protocol for Domain Controllers. The ZeroLogon vulnerability was rated critical when it first was identified. Now, after an initial patch was released in August 2020 as part of a two-step correction for the bug, unknown threat actors are scanning the Internet for servers that may be vulnerable. In the case reported on, the attackers managed to reset the domain controller honeypot computer password to blank.
Analyst Notes
The affected honeypot was updated with patches from July 2020 but did not have the August patches, which left it vulnerable. The second step in addressing this flaw will include tightening up NRP security in February 2021 when enforcement mode will be set to “on” by default. The open-source Samba server, which can be used as a Domain Controller, is also vulnerable to the ZeroLogon vulnerability in versions 4.8 and above if they have a “server channel” parameter set to either “no” or “auto.” Samba versions 4.7 or below are vulnerable unless they have “server channel =yes” in the smb.conf file. As with all vulnerabilities, the first step in preventing threat actors from exploiting them is to patch systems when one is available, such as in this case.
Sources: https://www.itnews.com.au/news/zerologon-hackers-scan-for-unpatched-servers-553942
https://twitter.com/GossiTheDog/status/1309991838418382848
