Microsoft Warns of Continued Exploitation of CVE-2020-1472

Read Time1 Minute, 27 Second

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/29/2020 01:11 PM EDT


Original release date: October 29, 2020
Microsoft has released a blog post on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks.

CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. CISA has released a patch validation script to detect unpatched Microsoft domain controllers. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.

In the coming weeks and months, administrators should take follow-on actions that are described in guidance released by Microsoft to prepare for the second half of Microsoft’s Netlogon migration process, which is scheduled to conclude in February 2021.

CISA encourages users and administrators to review the following resources and apply the necessary updates and mitigations.

About Post Author

Robert Williams

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: