Cybersecurity and Infrastructure Security Agency, part of the US Department of Homeland Security, doesn't usually issue emergency orders about specific vulnerabilities.
But it issued one on Friday, ordering government agencies that use Microsoft Windows Active Directory on their networks to patch their domain controllers immediately.
And CISA strongly urged everyone else to follow suit, including state and local governments and industry.
"We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary," CISA assistant director Bryan Ware said in a statement.
The only other time this year that CISA issued an alert for a specific vulnerability was in July, for Windows Servers running DNS.
In both cases, the vulnerability allowed criminals to attack large numbers of systems and do significant amounts of damage.
With Zerologon, the vulnerability CISA alerted about on Friday, attackers who already have any foothold in a data center – say, via a successful phishing email sent to an employee – can access the Active Directory and get authenticated to any system it provides security to.
It's the equivalent of a criminal gang knocking out a facility's security guards and putting their own team members in place.
The Zerologon vulnerability is not completely new. In fact, Microsoft issued a patch in August. What is new, however – and what made this vulnerability so urgent and dangerous that CISA told agencies to install the patch on Monday, with no delays – is the public release of proof-of-concept code showing exactly how the vulnerability can be exploited.
It all started with a whitepaper by security researchers at Secura, which gave detailed explanations of how the Zerologon vulnerability worked. Other researchers then followed up with proof of concepts – open source code that hackers could just copy and paste into their own malware.
"It's basically serving it to these attackers on a silver platter," said Satnam Narang, senior research engineer at Tenable Network Security. "Here's what you have to do to exploit this vulnerability. You don't have to spend time to develop it or research it."
Publishing proof of concepts is a double-edged sword, he said. It's good for security professionals, because it helps them know what to defend against.
"But it's really good for attackers," he added.
Secura also released a tool to help network administrators find out whether their domain controllers were vulnerable.
Because of the power this vulnerability gives to attackers, Microsoft rated it as "critical," and the Common Vulnerability Scoring System gave it a ten out of ten for severity.
But it gets worse. Not only does Zerologon give attackers nearly unlimited power over a system, with proof-of-concept code readily available, this is a kind of patch network administrators typically want to take their time before deploying.
"It's definitely tricky to patch domain controllers, that's for sure," said Narang. "They're the guards into your networks, so you want to double- or triple-check when applying patches, so that you're not breaking things."
And it gets worse yet again.
If you haven't patched yet, or didn't install the patch immediately after it was released (or at least after the proof-of-concept code was released), there's a chance that attackers have used the vulnerability to sneak into your systems and then used it again to erase their tracks.
That means they could still be there even after you install the patch.
"It's going to take a lot of effort on the part of your IT staff to review your log files," said Narang. "You'll have to just hunker down and start looking for any indicators of potential compromise."
But wait, there's more.
Most large organizations rely heavily on Active Directory. Servers, PCs, and other devices all authenticate against Active Directory, as do enterprise applications, and even external SaaS applications running in the cloud.
As a result, the Zerologon vulnerability gives attackers access to all those systems.
"This is the worst-case scenario," said Curtis Simpson, CISO at Armis, a Palo Alto-based cybersecurity company. "You now have to assume that everything connected to Active Directory was compromised."
Third-party providers are particularly big targets, he added. "So that the attackers can target all your customers."
Simpson said that an attacker that had any kind of foothold in a data center can check for the presence of a vulnerability without raising any alarm bells.
"I could have gained control in a few seconds with very little effort and covered all my tracks – I could wipe all the logs around what I did," he said. "Folks have likely already done this and are running around different environments unbeknownst."
Is there any way to tell if your data center has been compromised?
"That's going to be one of the challenges," said Simpson. "I'm not going to lie."
There's a chance the attacker didn't clear their tracks and could be traced that way. Otherwise, the data center teams would have to step up their vigilance, looking for any evidence of suspicious behavior, such as unusual communications between systems, unusual movements of data, or communications with known bad sites.
If that monitoring ability isn't in place already, data center teams have to be careful to ensure that the "normal" baseline doesn't include the malicious behavior in it.
Simpson also warned that many organizations have multiple domain controllers, especially organizations that are products of mergers or acquisitions.
“That's where my skin crawls,” he said.