CVE-2020-1472

Vulnerability Profile Updated 9 days ago
Download STIX
Preview STIX
CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without any authentication, effectively giving them control over the network. The rapid adoption of ZeroLogon in 2020 significantly increased the speed and efficiency of ransomware attacks, enabling threat actors to obtain privileged access to Active Directory and use CobaltStrike as the C2 framework. The FBI, along with other security agencies like CISA, CNMF, and NCSC-UK, observed an APT group exploiting this vulnerability along with others like Microsoft Exchange memory corruption vulnerability (CVE-2020-0688) and Fortinet VPN vulnerability (CVE-2018-13379). In one instance, the FBI discovered a forensic artifact (exp.exe) on a compromised system that likely exploited the Netlogon vulnerability and connected to a domain controller. This allowed the threat actors to gain initial access and escalate privileges within the network using valid accounts. In recent attacks involving the growing RansomHub ransomware, attackers have exploited ZeroLogon to gain initial access to victims' environments. The threat actors have also been observed exploiting ZeroLogon in phishing attempts, leveraging external-facing remote services such as virtual private networks (VPNs) to gain initial access and persistence within a network. These activities highlight the ongoing risk posed by the CVE-2020-1472 vulnerability, underlining the importance of implementing patches and maintaining strong cybersecurity practices.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Zerologon
6
Zerologon is a critical elevation of privilege vulnerability (CVE-2020-1472) within Microsoft’s Netlogon Remote Protocol, affecting all versions of Windows Server OS from 2008 up to the latest available from Microsoft. This flaw in software design or implementation allows an attacker to establish a
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Ransomware
Phishing
Windows
exploited
T1078
Microsoft
Apt
Vpn
Blackberry
Veeam
Malware
Evasive
Eset
exploitation
Papercut
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CubaUnspecified
2
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
China ChopperUnspecified
1
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
CobaltstrikeUnspecified
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Cuba RansomwareUnspecified
1
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a form of malware that has been linked to significant ransomware activity. It is loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted version via vm.cfg. This malicious software can infiltrate systems and enable backdoor functiona
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its ransomware attacks on numerous organizations globally. The Russian-speaking group has affected over 500 organizations across various sectors, including automotive, outsourcing, public services, government, healthcare, and telecommunications. No
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT15Unspecified
2
APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I
RhysidaExploited
2
Rhysida is a prominent threat actor in the cybersecurity landscape, first emerging in May 2023 as a Ransomware-as-a-Service (RaaS) operation. Initially targeting Windows systems, Rhysida later expanded to Linux platforms. The ransomware uses AES and RSA algorithms for file encryption, with the ChaCh
RansomhubUnspecified
1
Ransomhub, a self-proclaimed Ransomware-as-a-Service (RaaS) operation, emerged on the cybersecurity scene in early 2024. The group first disclosed its existence on the Russian-language dark web forum RAMP in February 2024. Since then, it has rapidly risen to prominence, publicly claiming five distin
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2018-13379Unspecified
1
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
CVE-2023-27532Unspecified
1
CVE-2023-27532 is a high-severity vulnerability discovered in Veeam's Backup & Replication software. This flaw, disclosed in March 2023, can be exploited to breach backup infrastructure hosts. Despite its serious implications, it was not added to the Known Exploited Vulnerabilities (KEV) list until
CVE-2020-1472 ZEROLOGONUnspecified
1
None
Printnightmare Cve-2021-34527Unspecified
1
PrintNightmare (CVE-2021-34527) is a significant software vulnerability that was identified and reported in 2021. It is a flaw in the design or implementation of Microsoft's Windows Print Spooler service, which can be exploited for local and Windows Active Domain privilege escalation. This allows at
PrintnightmareUnspecified
1
PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, en
CVE-2020-0688Unspecified
1
CVE-2020-0688 is a significant vulnerability found in Microsoft Exchange Server, which pertains to memory corruption. This flaw allows for remote code execution by exploiting the fact that the application uses a static validationKey and decryptionKey (collectively known as the machineKey) by default
Source Document References
Information about the CVE-2020-1472 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Cuba ransomware uses Veeam exploit against critical U.S. organizations
Securityaffairs
6 months ago
Rhysida ransomware group hacked King Edward VII’s Hospital
CERT-EU
7 months ago
Same threats, different ransomware
CERT-EU
a year ago
Analysis of Ransomware Attack Timelines | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CISA
7 months ago
CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware | CISA
CERT-EU
a year ago
X-Force Prevents Zero Day from Going Anywhere
CERT-EU
10 months ago
Cuba ransomware gang looking for unpatched Veeam installations: Report | IT World Canada News
CERT-EU
a year ago
LockBit Ransomware Gang Earned $91 Million Ever Since It Discovered
Fortinet
a year ago
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
CISA
a year ago
#StopRansomware: Cuba Ransomware | CISA
CERT-EU
10 months ago
Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America
CERT-EU
10 months ago
'Cuba' Ransomware Group Uses Every Trick in the Book
CISA
a year ago
Understanding Ransomware Threat Actors: LockBit | CISA
CERT-EU
7 months ago
FBI and CISA warn of opportunistic Rhysida ransomware attacks
MITRE
a year ago
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser | Mandiant
CERT-EU
9 months ago
From Caribbean shores to your devices: analyzing Cuba ransomware – GIXtools
InfoSecurity-magazine
10 months ago
Cuba Ransomware Group Steals Credentials Via Veeam Exploit
BankInfoSecurity
10 months ago
Scarab Ransomware Deployed Using SpaceColon Toolkit
CERT-EU
10 months ago
Samba 4.10.18 - Release Notes
Securityaffairs
7 months ago
Rhysida ransomware gang claimed China Energy hack