Hackers use a deadly Home windows bug to open unpatched servers


"It's important to me that attackers spray the Internet to automatically provide backdoors into unpatched Active Directory systems," Beaumont told Ars. "This is not good news. It's not particularly sophisticated, but these attackers are doing something effective – which is usually more problematic. "

Friday's findings are the most detailed yet on attacks in the wild that exploited the critical vulnerability. Late last month and again earlier this month, Microsoft warned that Zerologon was actively targeted by hackers, some or all of whom are part of a threat group known as Mercury, which has ties to the Iranian government. A few weeks ago, Beaumont's honey pot also discovered exploit attempts.

The researchers named the vulnerability Zerologon because attacks send a series of zeros in a series of messages using the Netlogon protocol that Windows servers rely on for a variety of tasks, including the possibility of end-users register to a network.

People who are not authenticated could use the exploit to obtain administrative credentials for domains, provided the attacker can establish TCP connections with a vulnerable domain controller. In some cases, attackers can use a separate vulnerability to gain a foothold on a network and then exploit Zerologon to take over the domain controller, the Department of Homeland Security's cybersecurity arm – the Cybersecurity and Infrastructure Security Agency – said last Friday With. The agency said exploits threaten government-controlled electoral systems.

In general, to be effective, honeypots must break down defenses, which is standard on many networks. In this sense, they can see what is happening in the real world one-sided. However, Beaumont's results illustrate both the effectiveness of the current Zerologon attacks and the corresponding results they are producing.


Steven Gregory