Microsoft issued yet another warning that threat actors are continuing to actively exploit systems unpatched against the ZeroLogon privilege escalation vulnerability in the Netlogon Remote Protocol (MS-NRPC). On Windows Server devices where the vulnerability was not patched, attackers can spoof a domain controller account to steal domain credentials and take over the entire domain following successful exploitation.
The continued exploitation of a vulnerability allowing attackers easy and unfettered access to the whole of an organization’s digital resources should come as no surprise. Threat actors will attempt to discover and exploit this vulnerability for as long as it continues to work.
However, while sustained vulnerability doesn’t necessarily mean negligence on behalf of organizations that have fallen victim, the most likely excuse as to why they have fallen victim is because they have failed to patch. Because non-Windows or homegrown applications and resources may not be able to leverage secure connections via Netlogon at this time, it has undoubtedly forced some organizations to weigh the risks between the possibility of compromise and the certainty of service downtime.
For businesses stuck in this purgatorial state, understanding what is connecting insecurely and taking measures to update these resources via whatever means necessary is the best path forward towards mitigating the risk of this vulnerability both now and in the future.