The U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) over the past weekend issued a directive for government departments and agencies, as well as the private sector, to apply the recently released Windows Server security update to all domain controllers.
Zerologon vulnerability blew the standard patching schedule out of the water for U.S. government agencies who were required by the U.S. Department of Homeland Security CISA to patch their Windows Servers over this past weekend. The fact that CISA issued an emergency directive about Zerologon should have every organization, public or private, take notice. Benjamin Delpy, author of the Windows Server hacking tool mimikatz, has already update his software to exploit this vulnerability; can organizations patch as quickly as he can update?
Organizations need to patch before they even attend a single Microsoft Ignite session this week. Administrative access to Active Directory is serious business, granting attackers elevated access to primary business applications. For example, an attacker could modify a group policy to deliver a payload which can get pushed out to every Windows computer in someone’s network – like reconnaissance software or ransomware. We’ve seen a lot of ransomware attacks prefer to deliver a payload that executes all at once across a network without giving anyone a chance to stop it.
While they are patching Zerologon, organizations should also disable the default Printer Spooler Service on their Domain Controllers, which can be used in the Zerologon or other known exploits. But don’t stop there, organizations need to ensure they have a backup and recovery solution for their Active Directory in case they are compromised or have a ransomware outbreak affecting AD.