Microsoft issued a security advisory on Thusday night about targeted attacks exploiting a vulnerability in the Windows Server DNS Service.
"Our investigation reveals that this vulnerability could allow a criminal to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM,” a Microsoft spokesperson said.
Microsoft reported that there were very few known compromises using this flaw, a detail which SANS Institute also confirmed.
“We have two confirmed sources that were attacked on April 4th and 5th. Both were universities in the U.S.,” wrote Kyle Haugsness on the SANS Internet Storm Center blog. “The initial report was from the information security office at Carnegie Mellon University. Nice catch guys! The attacking source IP was the same in both cases: 18.104.22.168.”
Users affected by the issue were advised to disable remote management over RPC capability for DNS servers through the registry key setting and to block TCP and UDP port 445, as well as all unsolicited inbound traffic on ports greater than 1024.
As Microsoft employees worked over the weekend to mitigate risks caused by the problem, they continued to update the advisory with more details.
“We’ve added some new information about the impact of some of the workarounds on systems with 15 character, or longer, system names,”wrote Christopher Budd on the Microsoft Security Response Center blog. “We’ve also noted that it is possible for a user with valid logon credentials to access the vulnerability over port 445. As always, we’re continuing to work around the clock to monitor the situation closely, continue our technical investigations and develop a security update to address this issue.”