As an update to the NYU IT Security News & Alerts post, Zerologon Vulnerability, Windows Admins Advised to Patch Now, Microsoft has issued a blog post advisory reinforcing the original guidance supplied due to the observance of continued exploit of the vulnerability tracked as CVE-2020-1472. Further CISA (Cybersecurity and Infrastructure Security Agency) reports that nation state actors are actively exploiting this vulnerability.
To recap, this is an elevation of privilege vulnerability in which a malicious actor can breach unpatched Active Directory controllers and obtain domain administrator access. CISA advises that admins patch domain controllers immediately as malicious actors are able to identify and breach vulnerable systems in minutes. Further, CISA has issued a patch validation script to identify unpatched Microsoft domain controllers. If there is evidence of activity related to this vulnerability, admins are advised to assume that all identity services have been compromised.
CISA asks admins to review the following Microsoft Support guidance, How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 as well as any forthcoming guidance as Microsoft prepares for the second half of the Netlogon migration, which is scheduled to conclude in February 2021.