Hackers are actively attacking Windows Active Directory servers

Get a free Techzine subscription!

Attackers use the “Zerologon” exploit to backdoor unpatched Windows servers.

Last month we reported on a Windows vulnerability that allowed anyone to become an Admin on an organization’s Active Directory domain controllers.

Earlier this year, researchers at Secura published an exploit that uses that vulnerability to grant Admin access to anyone. They dubbed the exploit “Zerologon.”

Zerologon works by sending a string of zeros in a series of messages that use the Netlogon protocol. Windows servers rely on this protocol for a variety of tasks, including allowing end-users to log in to a network. Attackers with no authentication can use the Zerologon exploit to gain domain administrative credentials. All it takes is the ability to establish TCP connections with a vulnerable domain controller.

The exploit gives attackers instant access to active directories, which admins use to create, delete, and manage network accounts. Active directories and the domain controllers they run on are among the most coveted prizes in hacking, because once hijacked, they allow attackers to execute code in unison on all connected machines.

Hackers are launching automated attacks using Zerologon

Kevin Beaumont posted a Medium.com article in which he reported seeing the latest attacks. Beaumont is an independent researcher who operates a personal “honeypot” he uses to detect hacks and hackers.

A “honeypot” is a server that is left deliberately vulnerable to attract hackers. Researchers then analyze the hackers’ actions to better understand how to guard against hacking attempts on actual, in-service servers.

Beaumont saw that attackers penetrated his unpatched “bait” Windows server using a powershell script. The script was able to to successfully change an admin password and backdoor the server.

Backdoor threats can cause future problems

Beaumont writes that the scripted attacks were automated, not highly sophisticated, but dangerous nonetheless. This is because once they gained access, the attackers managed to activate Remote Desktop ob the server.

Remote Desktop allows users to have full access to a Windows environment. Once this service is enabled, the hackers can gain instant access in the future by using the Remote Desktop service.

Microsoft patched the Zerologon vulnerability in August. Anyone using a Windows server that has not been patched should apply the patch immediately.

Tip: Cybercrime becomes more sophisticated: ‘we can’t continue like this.’