Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft's security intelligence team said this morning.
"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks," the company wrote in a series of tweets.
The attacks were expected to happen, according to security industry experts.
Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.
The first proof-of-concept exploit was published hours after the explanatory blog post, confirming Secura's analysis that the Zerologon bug is easy to exploit, even by low-skilled threat actors.
A more in-depth explanation of the Zerologon bug is available in our initial coverage of the vulnerability, but, to simplify it, the Zerologon bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. Exploiting the Zerologon bug can allow hackers to take over the domain controller, and inherently a company's internal network.
Zerologon was described by many as the most dangerous bug revealed this year. Over the weekend, the DHS gave federal agencies three days to patch domain controllers or disconnect them from federal networks.