After a short hiatus we now have a new vuln with a new logo and catchy name: SIGRED! This finding that was discovered by Checkpoint researchers and patched recently by Microsoft could allow attackers to exploit public (and private) DNS servers by simply coaxing them into making a DNS query and grabbing a value from an outside authoritative server for a specified domain. The DNS servers in use are typically domain controllers and are perfectly positioned for an attacker to launch a corporate wide attack.
It may sound like a feat to force a server you don’t control to make a DNS query, but its actually not very difficult; we routinely force web servers to do this using XML XXE blind injection. Normally a webserver would not share a role as a DC, but it demonstrates the potential.
Some believe with our current distributed worker architecture that this extends the attacker surface to homes that are a great jumping off point into a corporate network. Home networks and computers are not always subject to the hardening rigor of corporate machines and may pose an additional, less protected vector for attack.
All of this can be avoided of course, this is not a zero day vulnerability. Patch all your Windows DNS servers and look forward to the next vulnerability sure to take down the internet.