CVE-2020-1472

Vulnerability updated a month ago (2024-09-20T19:00:57.327Z)

Download STIX

Preview STIX

CVE-2020-1472, also known as the Zerologon vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. The vulnerability allows attackers to gain administrative access to a Windows domain controller without any authentication, effectively giving them control over a network. This flaw was patched on August 11, 2020, but it has been exploited widely by threat actors, particularly in phishing attempts and ransomware attacks. The rapid adoption of the Zerologon vulnerability significantly increased the speed and efficiency of ransomware attacks in 2020. Specifically, it was used to obtain privileged access to Active Directory and CobaltStrike as the C2 framework. In particular, the RansomHub ransomware's attack chain includes exploiting this vulnerability. In one instance, the FBI found a forensic artifact (exp.exe) on a compromised system that likely exploited the Netlogon vulnerability and connected to a domain controller. Various organizations such as the FBI, CISA, CNMF, NCSC-UK, and others have observed APT groups exploiting this vulnerability along with other ones like the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688). Rhysida actors, for example, leveraged external-facing remote services, the Zerologon vulnerability, and phishing campaigns to gain initial access and persistence within a network. Despite these threats, telemetry data from Vision One identified the Zerologon vulnerability as another potential access vector, further emphasizing its widespread use in cyber attacks.

Description last updated: 2024-09-20T18:16:38.601Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Zerologon is a possible alias for CVE-2020-1472. Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability within Microsoft’s Netlogon Remote Protocol. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, th	9

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Ransomware

Windows

Phishing

Exploits

exploited

Cuba

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT15 Threat Actor is associated with CVE-2020-1472. APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I	Unspecified	2
The Ransomhub Threat Actor is associated with CVE-2020-1472. RansomHub is a threat actor that emerged as a new group in the cybersecurity landscape in February 2024, following the initial takedown of LockBit. Many former LockBit affiliates seemed to have either started working independently using freely available ransomware source code such as Phobos or align	Unspecified	2
The Rhysida Threat Actor is associated with CVE-2020-1472. Rhysida, a threat actor active since May 2023, has been responsible for numerous high-profile ransomware attacks. The group is known for its use of various ransomware families, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin, and its own eponymous program, to aid in double extorti	Exploited	2

Source Document References

Information about the CVE-2020-1472 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	a month ago	How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
ESET	a month ago	CosmicBeetle steps up: Probation period at RansomHub
CISA	2 months ago	#StopRansomware: RansomHub Ransomware \| CISA
InfoSecurity-magazine	3 months ago	Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
DARKReading	4 months ago	RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks
CISA	5 months ago	#StopRansomware: Black Basta \| CISA
CERT-EU	8 months ago	Measures to implement against critical vulnerabilities: Zerologon the Windows Netlogon security hole
Securityaffairs	10 months ago	Rhysida ransomware group hacked Abdali Hospital in Jordan
CERT-EU	10 months ago	Rhysida ransomware group hacked Abdali Hospital in Jordan \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	Threat actors still exploiting old unpatched vulnerabilities, says Cisco \| IT World Canada News
Securityaffairs	a year ago	Rhysida ransomware group hacked King Edward VII’s Hospital
SecurityIntelligence.com	a year ago	X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021
CERT-EU	a year ago	FBI And CISA Warn Of Rhysida Ransomware Threat
Securityaffairs	a year ago	Rhysida ransomware gang claimed China Energy hack
CERT-EU	a year ago	Samba 4.12.7 - Release Notes
CERT-EU	a year ago	Same threats, different ransomware
Securityaffairs	a year ago	Rhysida ransomware gang is auctioning data stolen from the British Library
CERT-EU	a year ago	Cyber Security Week In Review: November 17, 2023
Securityaffairs	a year ago	FBI and CISA warn of attacks by Rhysida ransomware gang
CISA	a year ago	CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware \| CISA