Zerologon bug is most severe experienced by Microsoft

News has emerged that Microsoft patched a startlingly severe bug called Zerologon that affected Windows Servers. Dutch security company Secura B.V. released a blog post detailing how the bug works by taking over the Netlogon authentication process on Windows Servers and effectively gives hackers admin rights to the network and allows them to:

• impersonate the identity of any computer on a network when trying to authenticate against the domain controller
• disable security features in the Netlogon authentication process
• change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords)

The bug was named Zerologon, as the attack is achieved by adding zero characters in certain Netlogon authentication parameters.

The attack cannot happen outside a network as the hacker must already be in the network to launch the attack, but it’s claimed once inside, the attacker can take over an entire corporate network in just three seconds.
“This attack has a huge impact,” the Secura team said. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”

The bug has been given a 10/10 severity rating and is also a boon for malware and ransomware hackers, who often rely on infecting one computer inside a company’s network and then spreading to multiple others. With Zerologon, this task has been considerably simplified.

While Microsoft released the patch last month, it’s said requires a further install to fully resolve the problem which will be available in February 2021.

Globalnet updates all our clients with Microsoft and software patches automatically, as they are released. In Microsoft’s case, this is every week during what is known as Patch Tuesday. We have run exhaustive tests across all the networks we manage and can reassure our clients that they are currently up to date and safe from any attack via Zerologon.