Zerologon exploited in the wild.
Microsoft warned on Wednesday that attackers are actively exploiting the Zerologon elevation-of-privilege vulnerability (CVE-2020-1472). "We have observed attacks where public exploits have been incorporated into attacker playbooks," the company said, adding, "We strongly recommend customers to immediately apply security updates for CVE-2020-1472." Several samples named after the public exploit SharpZeroLogon have been uploaded to VirusTotal over the past week. Threatpost says 0patch has issued a micropatch for Windows servers that no longer receive support, particularly Windows Server 2008 R2. Certain configurations of Samba are also affected by Zerologon, and the service released an advisory outlining mitigations.
Late last week the US Cybersecurity and Infrastructure Security Agency (CISA) directed all Federal agencies to apply August’s patch to Microsoft Windows Server. Emergency Directive 20-04 required that mitigations of Zerologon be applied by midnight this past Monday, and that all agencies report completion by midnight Wednesday. The directive applied to Federal agencies under CISA’s oversight (which is most of them, but with certain national security exclusions). As Forbes notes, if the matter is serious enough for CISA to take this action, then the private sector would be wise to do the same.
Tyler Technologies sustains ransomware attack.
Dallas News reports that Texas-based Tyler Technologies, a large US public sector software vendor, has confirmed that the cyberattack it reported earlier in the week indeed involved ransomware, as many observers had suspected. BleepingComputer cites sources close to the incident as saying the malware used was RansomExx, a relatively new strain based on the Defray777 ransomware.
Tyler Technologies stated, "At this time and based on the evidence available to us to-date, all indications are that the impact of this incident is limited to our internal network and phone systems. We currently have no reason to believe that any client data, client servers, or hosted systems were affected." KrebsOnSecurity notes, however, that the company is still in the early stages of investigating.