Threat actors are activly exploiting the Windows Server Zerologon vulnerability in recent attacks. Microsoft strongly recommends all Windows administrators to install the security updates.

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical vulnerability (CVE-2020-1472) in Netlogon. The problem exists due the fact that application does not properly impose security restrictions in Netlogon. A remote non-authenticated attacker can use MS-NRPC to connect to a domain controller to obtain domain administrator access.

"Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks. Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat," warned Microsoft.

Microsoft also presented three samples that were used in the attacks to exploit the ZeroLogon vulnerability. The samples are .NET executables with the filename 'SharpZeroLogon.exe'.