CVE-2020-1472

Vulnerability Profile Updated 2 months ago
Download STIX
Preview STIX
CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without any authentication, effectively giving them control over the network. The rapid adoption of ZeroLogon in 2020 significantly increased the speed and efficiency of ransomware attacks, enabling threat actors to obtain privileged access to Active Directory and use CobaltStrike as the C2 framework. The FBI, along with other security agencies like CISA, CNMF, and NCSC-UK, observed an APT group exploiting this vulnerability along with others like Microsoft Exchange memory corruption vulnerability (CVE-2020-0688) and Fortinet VPN vulnerability (CVE-2018-13379). In one instance, the FBI discovered a forensic artifact (exp.exe) on a compromised system that likely exploited the Netlogon vulnerability and connected to a domain controller. This allowed the threat actors to gain initial access and escalate privileges within the network using valid accounts. In recent attacks involving the growing RansomHub ransomware, attackers have exploited ZeroLogon to gain initial access to victims' environments. The threat actors have also been observed exploiting ZeroLogon in phishing attempts, leveraging external-facing remote services such as virtual private networks (VPNs) to gain initial access and persistence within a network. These activities highlight the ongoing risk posed by the CVE-2020-1472 vulnerability, underlining the importance of implementing patches and maintaining strong cybersecurity practices.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Zerologon
7
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Ransomware
Phishing
Windows
exploited
Exploits
Microsoft
Apt
T1078
Vpn
Blackberry
Veeam
Malware
Evasive
Eset
exploitation
Papercut
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CubaUnspecified
2
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
CobaltstrikeUnspecified
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Cuba RansomwareUnspecified
1
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
China ChopperUnspecified
1
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT15Unspecified
2
APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I
RhysidaExploited
2
Rhysida, a threat actor known for executing malicious cyber activities, has been responsible for numerous ransomware attacks. The group has primarily targeted businesses and healthcare organizations, with notable instances including a disruptive attack on Ann & Robert H. Lurie Children's Hospital of
RansomhubUnspecified
1
RansomHub, a threat actor known for executing actions with malicious intent, has recently been linked to several high-profile cyber-attacks. The group is recognized for its ransomware attacks, which have resulted in significant data breaches at multiple companies. Christie, a prominent organization,
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2018-13379Unspecified
1
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
CVE-2023-27532Unspecified
1
CVE-2023-27532 is a high-severity vulnerability discovered in Veeam's Backup & Replication software. This flaw, disclosed in March 2023, can be exploited to breach backup infrastructure hosts. Despite its serious implications, it was not added to the Known Exploited Vulnerabilities (KEV) list until
CVE-2020-1472 ZEROLOGONUnspecified
1
None
Printnightmare Cve-2021-34527Unspecified
1
PrintNightmare (CVE-2021-34527) is a significant software vulnerability that was identified and reported in 2021. It is a flaw in the design or implementation of Microsoft's Windows Print Spooler service, which can be exploited for local and Windows Active Domain privilege escalation. This allows at
PrintnightmareUnspecified
1
PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, en
CVE-2020-0688Unspecified
1
CVE-2020-0688 is a significant vulnerability found in Microsoft Exchange Server, which pertains to memory corruption. This flaw allows for remote code execution by exploiting the fact that the application uses a static validationKey and decryptionKey (collectively known as the machineKey) by default
Source Document References
Information about the CVE-2020-1472 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
17 days ago
Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
DARKReading
2 months ago
RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks
CISA
3 months ago
#StopRansomware: Black Basta | CISA
CERT-EU
5 months ago
Measures to implement against critical vulnerabilities: Zerologon the Windows Netlogon security hole
Securityaffairs
7 months ago
Rhysida ransomware group hacked Abdali Hospital in Jordan
CERT-EU
7 months ago
Rhysida ransomware group hacked Abdali Hospital in Jordan | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
7 months ago
Threat actors still exploiting old unpatched vulnerabilities, says Cisco | IT World Canada News
Securityaffairs
8 months ago
Rhysida ransomware group hacked King Edward VII’s Hospital
SecurityIntelligence.com
8 months ago
X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021
CERT-EU
8 months ago
FBI And CISA Warn Of Rhysida Ransomware Threat
Securityaffairs
8 months ago
Rhysida ransomware gang claimed China Energy hack
CERT-EU
8 months ago
Samba 4.12.7 - Release Notes
CERT-EU
8 months ago
Same threats, different ransomware
Securityaffairs
8 months ago
Rhysida ransomware gang is auctioning data stolen from the British Library
CERT-EU
8 months ago
Cyber Security Week In Review: November 17, 2023
Securityaffairs
8 months ago
FBI and CISA warn of attacks by Rhysida ransomware gang
CISA
8 months ago
CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware | CISA
CERT-EU
8 months ago
FBI and CISA warn of opportunistic Rhysida ransomware attacks
CISA
8 months ago
#StopRansomware: Rhysida Ransomware | CISA
CERT-EU
9 months ago
Citrix Bleed Vulnerability: Background and Recommendations - ReliaQuest