“The takeaway for me is attackers are spraying the Internet to provide backdoors into unpatched Active Directory systems in an automated fashion,” Beaumont told Ars. “That isn’t great news. It’s not super sophisticated, but these attackers are doing something effective—which is usually more problematic.”
Friday’s findings are the most detailed yet about in-the-wild attacks that exploit the critical vulnerability. Late last month and again earlier this month Microsoft warned that Zerologon was under active attack by hackers, some or all of them part of a threat group dubbed Mercury, which has ties to the Iranian government. A few weeks ago, Beaumont’s honeypot also detected exploit attempts.
Researchers gave the vulnerability the name Zerologon because attacks work by sending a string of zeros in a series of messages that use the Netlogon protocol, which Windows servers rely on for a variety of tasks, including allowing end users to log in to a network.
People with no authentication can use the exploit to gain domain administrative credentials, as long as the attackers have the ability to establish TCP connections with a vulnerable domain controller. In some cases, attackers may use a separate vulnerability to gain a foothold inside a network and then exploit Zerologon to take over the domain controller, the Department of Homeland Security’s cybersecurity arm—the Cybersecurity and Infrastructure Security Agency—said last Friday. The agency said exploits were threatening government-controlled election systems.
To be effective, honeypots generally must let down defenses that are standard on many networks. In that sense, they can give a one-sided view of what’s happening in the real world. Beaumont’s results are nevertheless illustrative both of the effectiveness of current Zerologon attacks and the concerning results they achieve.