Tech Talk: Urgent Windows Server Vulnerability Actively Exploited

This column was originally published in the September 27, 2020 editions of Foster's and Seacoast Sunday.

I’ve written in the past about the importance of proactive management of corporate IT infrastructures. A key component of a proactive management plan, whether it be the responsibility of an in-house IT department or outsourced to a trusted IT partner, is patching the servers and computers on the network, both office based and remote.

Last week, I was proud to see the CompTIA ISAO, an information sharing and analysis organization that I am involved with, issue an urgent alert to its members about a critical vulnerability in Microsoft Windows Servers that has been dubbed the Zerologon vulnerability. Thanks to a highly reliable confidential source, details on this issue was shared with us and we were able to verify the information and get it out to members a full two days before mainstream sources began warning of the risk.

The risk is severe as it allows a hacker to take control of an Active Directory Domain Controller with a remarkably small amount of code that some might consider a bit simplistic. Active Directory is the key to the kingdom, as the saying goes. It governs all user and service accounts and the permissions these accounts have. Exploiting this vulnerability will allow an attacker to target specific elements of a corporate network and potentially the entire network, with little to no restriction.

Just this week, Microsoft confirmed that this vulnerability was being actively exploited in the wild. Evidence had mounted from the early indicators of compromise that hackers were actively exploiting the vulnerability to gain access to protected network resources.

The Department of Homeland Security also issued a clear and rare directive that agencies apply the necessary patch to close off this vulnerability or remove impacted servers from their networks. This is hardly a trivial directive. It clearly underscored the threat and urgency of this issue. The fact that Microsoft is confirming that the vulnerability is being actively exploited further underscores the severity of the threat. All business should be checking with their internal IT departments or outsourced IT partners to confirm that they are both aware of the issue and have taken the necessary steps to protect the business against it. If your IT experts are not aware of this threat, that is reason for serious concern as this important and time sensitive issue has been clearly reported on in both cybersecurity, general IT and mainstream media for over a week as of this publishing date of this column.

Especially in our current reality of so much remote work taking place, including remote schooling, hackers are taking advantage of ever-increasing attack options. The patching of known and newly discovered security risks like this is more important than ever. Check in with your IT partners and be sure they have the resourced needed to stay abreast of these issues and to act immediately to protect your business.