Microsoft US election warning: Attackers hit Windows 10 Netlogon flaw

Microsoft gets reports about attacks on the Netlogon protocol bug in Windows 10.
Written by Liam Tung, Contributing Writer

Microsoft has warned Windows 10 customers that it has received "a small number of reports" about attacks on its Netlogon protocol, which it patched in August. 

The Windows maker issued another alert on Thursday following its warning in September that attackers were exploiting the elevation of privilege vulnerability affecting the Netlogon Remote Protocol (MS-NRPC). 

It's a protocol used by admins for authenticating Windows Server as a domain controller. The flaw it contained was serious enough for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to order US government agencies to apply Microsoft's patch for the bug – tracked as CVE-2020-1472 but also called Zerologon –  within three days of its release in the August Patch Tuesday update.

SEE: Security Awareness and Training policy (TechRepublic Premium)    

Defensive security researchers found that the bug was easy to exploit, making it a prime target for more opportunistic attackers. But when Microsoft released the patch on Tuesday, August 11, some system admins were not aware of its severity. 

Attackers could exploit the flaw to run malware on a device on the network after spoofing Active Directory domain controller accounts. As a weapon, it had the added bonus of publicly available proof-of-concept Zerologon exploits soon after Microsoft released its patch. 

CISA warned agencies to patch the flaw swiftly because Windows Server domain controllers are widely used in US government networks, and the bug had a rare severity rating of 10 out of 10. It prompted CISA to direct agencies to apply the patch on the same week as Microsoft's August 11 patch was released.

Microsoft has updated its support document for the bug to provide further clarity. It recommends that admins update Domain Controllers with the patch, monitor logs for devices making connections to the server, and to enable enforcement mode. 

Microsoft and CISA are particularly concerned that the flaw could be used to by cyber attackers to disrupt the US elections. The company in September warned that Chinese, Iranian, and Russian hackers had targeted the Biden and Trump campaigns.

"We contacted CISA, which has issued an additional alert to remind state and local agencies, including those involved in the US elections, about applying steps necessary to address this vulnerability," Microsoft said. 

The bug was serious enough for Microsoft to issue a registry key that helped admins enable 'enforcement mode' before the company makes that mode mandatory on February 9, 2021.   

Editorial standards