Microsoft tweeted this morning that it is tracking active exploits against the Zerologon vulnerability reported earlier this month. Scott Caveza, Research Engineering Manager at Tenable, comments, on this topic.
“Shortly after the blog post from Secura was published, detailing the impact and technical information about ZeroLogon, multiple proof-of-concept scripts emerged. In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we’re now seeing play out.
Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we’re seeing attacks in the wild. Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns. Several samples of malicious .NET executables with the filename ‘SharpZeroLogon.exe’ have been uploaded to VirusTotal. Microsoft Security Intelligence has shared sample SHA-256 hashes to aid defenders in investigating any exploited systems.“
