Zerologon

Vulnerability updated a month ago (2024-11-29T13:58:47.474Z)
Download STIX
Preview STIX
Zerologon (CVE-2020-1472) is a critical vulnerability within Microsoft's Netlogon Remote Protocol that emerged in 2020. It involves a privilege escalation condition that allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, bypassing authentication mechanisms and changing computer passwords within the Active Directory. This flaw enables rapid escalation to domain administrator levels, increasing the speed and efficiency of attacks. Throughout 2020, Zerologon was rapidly adopted by various ransomware operators to obtain privileged access to Active Directory. Notably, Cuba ransomware actors exploited this vulnerability to gain administrator privileges. Similarly, Rhysida actors were also identified exploiting Zerologon. The RansomHub ransomware's attack chain included exploiting the Zerologon vulnerability, allowing attackers to gain initial access to a victim's environment. Despite its potency, not all attempts to exploit Zerologon were successful. In some cases, telemetry data from Vision One identified the Zerologon vulnerability as a potential access vector, but exploitation attempts were not always successful. Regardless, the discovery and subsequent use of Zerologon marked a significant shift in the landscape of cyber threats, highlighting the importance of robust software design and implementation to prevent such vulnerabilities.
Description last updated: 2024-11-28T11:43:25.667Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CVE-2020-1472 is a possible alias for Zerologon. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without any
10
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Windows
Ransomware
Phishing
Exploits
T1068
Cuba
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cuba Ransomware Malware is associated with Zerologon. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insiUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ransomhub Threat Actor is associated with Zerologon. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campaiUnspecified
2
The Rhysida Threat Actor is associated with Zerologon. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistencUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Proxylogon Vulnerability is associated with Zerologon. ProxyLogon is a serious software vulnerability, specifically an exploit chain in Microsoft Exchange Server. The chain includes CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows attackers to bypass authentication and impersonate users, along with other vulnerabilities sucUnspecified
2
The Proxyshell Vulnerability is associated with Zerologon. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT acUnspecified
2
The Printnightmare Vulnerability is associated with Zerologon. PrintNightmare is a severe vulnerability (CVE-2021-34527) affecting the Windows Print Spooler service, allowing an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw in software design or implementation enables any authenUnspecified
2
Source Document References
Information about the Zerologon Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
a month ago
Trend Micro
2 months ago
Trend Micro
3 months ago
ESET
4 months ago
CISA
4 months ago
InfoSecurity-magazine
6 months ago
DARKReading
7 months ago
Flashpoint
7 months ago
DARKReading
7 months ago
CISA
8 months ago
CERT-EU
10 months ago
Securityaffairs
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago