CVE-2020-1472

Vulnerability updated a month ago (2024-10-21T09:00:57.327Z)

Download STIX

Preview STIX

CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without any authentication. The exploitation of this flaw effectively grants threat actors control over a network, posing significant security risks. Throughout 2020, the ZeroLogon vulnerability was widely adopted by threat actors, significantly enhancing both the speed and efficiency of ransomware attacks. In multiple instances, it was used to obtain privileged access to Active Directory and CobaltStrike as the Command and Control (C2) framework. Notably, the RansomHub ransomware incorporated the exploitation of the ZeroLogon vulnerability into its attack chain. In one case, the FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability and connects to a domain controller. Threat actors have been observed exploiting the ZeroLogon vulnerability in various ways, including phishing attempts and impersonation of the domain controller. In one such instance, threat actors attempted to impersonate the domain controller by exploiting the ZeroLogon privilege escalation vulnerability. Telemetry data from Vision One also identified the ZeroLogon vulnerability as a potential access vector, further highlighting its widespread use in cyberattacks.

Description last updated: 2024-10-21T08:36:00.913Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Zerologon is a possible alias for CVE-2020-1472. Zerologon, officially known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol. This flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, enabling them to escalate privileges to do	9

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Ransomware

Windows

Phishing

Exploits

exploited

Cuba

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT15 Threat Actor is associated with CVE-2020-1472. APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I	Unspecified	2
The Ransomhub Threat Actor is associated with CVE-2020-1472. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campai	Unspecified	2
The Rhysida Threat Actor is associated with CVE-2020-1472. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistenc	Exploited	2

Source Document References

Information about the CVE-2020-1472 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	3 months ago	Russian Military Cyber Actors Target US and Global Critical Infrastructure
CISA	6 days ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
Trend Micro	a month ago	Understanding the Initial Stages of Web Shell and VPN Threats An MXDR Analysis
CISA	a month ago	Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations \| CISA
Trend Micro	2 months ago	How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
ESET	2 months ago	CosmicBeetle steps up: Probation period at RansomHub
CISA	3 months ago	#StopRansomware: RansomHub Ransomware \| CISA
InfoSecurity-magazine	4 months ago	Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
DARKReading	6 months ago	RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks
CISA	6 months ago	#StopRansomware: Black Basta \| CISA
CERT-EU	9 months ago	Measures to implement against critical vulnerabilities: Zerologon the Windows Netlogon security hole
Securityaffairs	a year ago	Rhysida ransomware group hacked Abdali Hospital in Jordan
CERT-EU	a year ago	Rhysida ransomware group hacked Abdali Hospital in Jordan \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Threat actors still exploiting old unpatched vulnerabilities, says Cisco \| IT World Canada News
Securityaffairs	a year ago	Rhysida ransomware group hacked King Edward VII’s Hospital
SecurityIntelligence.com	a year ago	X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021
CERT-EU	a year ago	FBI And CISA Warn Of Rhysida Ransomware Threat
Securityaffairs	a year ago	Rhysida ransomware gang claimed China Energy hack
CERT-EU	a year ago	Samba 4.12.7 - Release Notes
CERT-EU	a year ago	Same threats, different ransomware