CVE-2020-1472

Vulnerability updated 3 months ago (2024-06-05T23:17:34.329Z)
Download STIX
Preview STIX
CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without any authentication, effectively giving them control over the network. The rapid adoption of ZeroLogon in 2020 significantly increased the speed and efficiency of ransomware attacks, enabling threat actors to obtain privileged access to Active Directory and use CobaltStrike as the C2 framework. The FBI, along with other security agencies like CISA, CNMF, and NCSC-UK, observed an APT group exploiting this vulnerability along with others like Microsoft Exchange memory corruption vulnerability (CVE-2020-0688) and Fortinet VPN vulnerability (CVE-2018-13379). In one instance, the FBI discovered a forensic artifact (exp.exe) on a compromised system that likely exploited the Netlogon vulnerability and connected to a domain controller. This allowed the threat actors to gain initial access and escalate privileges within the network using valid accounts. In recent attacks involving the growing RansomHub ransomware, attackers have exploited ZeroLogon to gain initial access to victims' environments. The threat actors have also been observed exploiting ZeroLogon in phishing attempts, leveraging external-facing remote services such as virtual private networks (VPNs) to gain initial access and persistence within a network. These activities highlight the ongoing risk posed by the CVE-2020-1472 vulnerability, underlining the importance of implementing patches and maintaining strong cybersecurity practices.
Description last updated: 2024-06-05T23:15:56.195Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Zerologon
7
Zerologon, also known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol that affects all versions of Windows Server OS from 2008 onwards. The flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Ac
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Phishing
Windows
Ransomware
Exploits
exploited
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
CubaUnspecified
2
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT15Unspecified
2
APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I
RhysidaExploited
2
Rhysida, a threat actor active since May 2023, is responsible for a series of ransomware attacks, with a significant focus on the healthcare sector. It accounts for 8% of total cyberattacks, with 38% of its attacks targeting healthcare institutions. The group's modus operandi includes transferring R
Source Document References
Information about the CVE-2020-1472 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CISA
10 days ago
#StopRansomware: RansomHub Ransomware | CISA
InfoSecurity-magazine
2 months ago
Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
DARKReading
3 months ago
RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks
CISA
4 months ago
#StopRansomware: Black Basta | CISA
CERT-EU
6 months ago
Measures to implement against critical vulnerabilities: Zerologon the Windows Netlogon security hole
Securityaffairs
8 months ago
Rhysida ransomware group hacked Abdali Hospital in Jordan
CERT-EU
8 months ago
Rhysida ransomware group hacked Abdali Hospital in Jordan | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
9 months ago
Threat actors still exploiting old unpatched vulnerabilities, says Cisco | IT World Canada News
Securityaffairs
9 months ago
Rhysida ransomware group hacked King Edward VII’s Hospital
SecurityIntelligence.com
10 months ago
X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021
CERT-EU
9 months ago
FBI And CISA Warn Of Rhysida Ransomware Threat
Securityaffairs
9 months ago
Rhysida ransomware gang claimed China Energy hack
CERT-EU
10 months ago
Samba 4.12.7 - Release Notes
CERT-EU
10 months ago
Same threats, different ransomware
Securityaffairs
10 months ago
Rhysida ransomware gang is auctioning data stolen from the British Library
CERT-EU
10 months ago
Cyber Security Week In Review: November 17, 2023
Securityaffairs
10 months ago
FBI and CISA warn of attacks by Rhysida ransomware gang
CISA
10 months ago
CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware | CISA
CERT-EU
10 months ago
FBI and CISA warn of opportunistic Rhysida ransomware attacks
CISA
10 months ago
#StopRansomware: Rhysida Ransomware | CISA