Microsoft has released a blog post on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks.
CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. CISA has released a patch validation script to detect unpatched Microsoft domain controllers. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.
In the coming weeks and months, administrators should take follow-on actions that are described in guidance released by Microsoft to prepare for the second half of Microsoft’s Netlogon migration process, which is scheduled to conclude in February 2021.
CISA encourages users and administrators to review the following resources and apply the necessary updates and mitigations.
- Microsoft blog post: Attacks exploiting Netlogon vulnerability (CVE-2020-1472)
- Microsoft: August Security Advisory for CVE-2020-1472
- Microsoft: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
- CISA Patch Validation Script
- CISA Joint Cybersecurity Advisory: AA20-283A APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations