Zerologon

Vulnerability updated a month ago (2024-09-20T19:00:55.381Z)

Download STIX

Preview STIX

Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability within Microsoft’s Netlogon Remote Protocol. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, thereby quickly escalating privileges to domain administrator levels. The vulnerability presents a privilege escalation condition when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol. This vulnerability was discovered and exploited by various threat actors in 2020. The Zerologon vulnerability was rapidly adopted by ransomware operators in Q4 of 2020, significantly increasing the speed and efficiency of their attacks. Cuba ransomware actors and Rhysida actors, among others, exploited ZeroLogon to gain administrator privileges. The RansomHub ransomware's attack chain also includes exploiting this vulnerability, as does that of other Russia-based Advanced Persistent Threats (APTs). These actors used Zerologon alongside other known vulnerabilities such as NoPac and PrintNightmare for privilege escalation within networks. Telemetry data from Vision One identified Zerologon as a potential access vector, observed in unrelated incidents as well. In recent attacks involving the growing RansomHub ransomware, attackers have exploited the Zerologon flaw to gain initial access to a victim's environment. Other affiliates, like Black Basta, have used credential scraping tools like Mimikatz, Zerologon, NoPac, and PrintNightmare for privilege escalation. Therefore, the Zerologon vulnerability represents a significant security concern that has been widely exploited by various malicious actors.

Description last updated: 2024-09-20T18:17:02.086Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
CVE-2020-1472 is a possible alias for Zerologon. CVE-2020-1472, also known as the Zerologon vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. The vulnerability allows attackers to gain administrative access to a Windows domain controller without any authentication, effectively giving them control over a network. T	9

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Windows

Ransomware

Phishing

Exploits

T1068

Cuba

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cuba Ransomware Malware is associated with Zerologon. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Ransomhub Threat Actor is associated with Zerologon. RansomHub is a threat actor that emerged as a new group in the cybersecurity landscape in February 2024, following the initial takedown of LockBit. Many former LockBit affiliates seemed to have either started working independently using freely available ransomware source code such as Phobos or align	Unspecified	2
The Rhysida Threat Actor is associated with Zerologon. Rhysida, a threat actor active since May 2023, has been responsible for numerous high-profile ransomware attacks. The group is known for its use of various ransomware families, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin, and its own eponymous program, to aid in double extorti	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxylogon Vulnerability is associated with Zerologon. ProxyLogon is a significant vulnerability in the design and implementation of software, specifically within Microsoft Exchange Server. CVE-2021-26855, a part of the ProxyLogon exploit chain, is a server-side request forgery (SSRF) vulnerability that allows attackers to bypass authentication mechanis	Unspecified	2
The Proxyshell Vulnerability is associated with Zerologon. ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. It is a software design and implementation flaw that allows attackers to gain unauthorized access to the affected systems. The exploit chain for ProxyShell includes CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.	Unspecified	2
The Printnightmare Vulnerability is associated with Zerologon. PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, en	Unspecified	2

Source Document References

Information about the Zerologon Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	a month ago	How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
ESET	a month ago	CosmicBeetle steps up: Probation period at RansomHub
CISA	2 months ago	#StopRansomware: RansomHub Ransomware \| CISA
InfoSecurity-magazine	3 months ago	Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
DARKReading	4 months ago	RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks
Flashpoint	5 months ago	From Origins to Operations: Understanding Black Basta Ransomware
DARKReading	5 months ago	Russia's Turla APT Abuses MSBuild to Deliver TinyTurla Backdoor
CISA	5 months ago	#StopRansomware: Black Basta \| CISA
CERT-EU	8 months ago	Measures to implement against critical vulnerabilities: Zerologon the Windows Netlogon security hole
Securityaffairs	10 months ago	Rhysida ransomware group hacked Abdali Hospital in Jordan
CERT-EU	10 months ago	Rhysida ransomware group hacked Abdali Hospital in Jordan \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Securityaffairs	a year ago	Rhysida ransomware group hacked King Edward VII’s Hospital
CERT-EU	a year ago	FBI And CISA Warn Of Rhysida Ransomware Threat
Securityaffairs	a year ago	Rhysida ransomware gang claimed China Energy hack
CERT-EU	a year ago	Rhysida threatens dark web auction of British Library data
CERT-EU	a year ago	Samba 4.12.7 - Release Notes
CERT-EU	a year ago	Same threats, different ransomware
Securityaffairs	a year ago	Rhysida ransomware gang is auctioning data stolen from the British Library
CERT-EU	a year ago	Rhysida ransomware gang claims attack on British Library
CERT-EU	a year ago	Cyber Security Week In Review: November 17, 2023