Microsoft already seeing exploit of Zerologon in the wild

Microsoft announced that it detected Zerologin being used in the wild. (Photo by Smith Collection/Gado/Getty Images)

Two days after bug hunters and threat intelligence analysts sounded the alarm over Zerologon, Microsoft said hacking groups are using the privilege escalation vulnerability against Windows server operating systems in the wild.

Analysts warned Tuesday that the exploit would likely show up in open source hacking tools and be used in attacks.

“Microsoft is actively tracking threat actor activity using exploits for [Zerologon]. We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft’s Security Intelligence branch announced Sept. 23 on Twitter while also publishing a related sample Indicator of Compromise.

SC Media has reached out to Microsoft for more details and will update this piece with any response.

While security practitioners are often inundated with bugs that need patching or fixing, there was reason to prioritize this particular weakness. Apart from being rated “critical,” multiple firms – including Secura, which first identified the vulnerability – have already developed proof of concept code. Security researchers were also able to easily add it to existing open source hacking tools and make modifications that made it cheaper and easier for malicious hackers to use against companies.

Civilian federal agencies were ordered to immediately patch their systems due to the public availability of the malicious code, the prevalence of such domain controllers across federal agencies (not to mention the private sector), the “high potential for compromise” and the “the grave impact of a successful compromise.”

All the analysis pointed to the same advice to security practitioners: don’t waste a lot of time trying to detect this flaw. Patch everything and patch it now.

“Due to the availability of exploit code and the high impact of successful exploitation, real world attacks are expected in the immediate future,” security firm eSentire warned its customers this week. “Successful exploitation could lead to elevated privileges (such as domain administrator), making this exploit highly valuable for adversaries with a foothold inside of networks.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.