Critical Zerologon Vulnerability Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Zerologon vulnerability tracked as CVE-2020-1472, rated as critical with a CVSS score of 10
Updated on
April 19, 2023
Published on
September 25, 2020
Subscribe to the latest industry news, threats and resources.
Zerologon is a critical privilege escalation vulnerability affecting all Windows Server versions after hijacking its Domain Controllers (DC) in the Active Directory environment of an enterprise. A flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol (AES-CFB8)  is responsible for this specific vulnerability. The Netlogon Remote Protocol (NRPC) is a Remote Procedure Call (RPC) interface available on Windows Domain Controllers. It is used for various tasks such as to authenticate user and machine connections, most commonly to allow users to log in to servers using the New Technology LAN Manager (NTLM) protocol. To trigger this vulnerability multiple Netlogon messages are sent to the Domain Controller, in which various fields are filled with zeroes. This leads to a complete takeover of the target Domain Controller. The attacker does not even require user credentials to initiate the attack.[/vc_wp_text][vc_wp_text]

Impact Analysis 

  • The attacker can change the computer password of the domain controller, once access is established.
  • This can then be used to obtain domain admin credentials which is used to restore the original DC password.
  • Zerologon allows an attacker to dump all user hashes into the target domain, including the hash of the KRBTGT account, which in turn induces a Golden Ticket attack.
  • Domain access to all verticals leading to complete takeover of the company infrastructure.
  • Loss of client, business-sensitive data.
  • Loss of reputation, goodwill and revenue shares.
  • Massive financial losses, sprawling lawsuits. 

 Preventive Measures

  • The patch released in August 2020 addresses CVE-2020-1472.
  • Domain Controllers (both back-up and read-only) must install aforementioned patches.
  • Deploy Domain Controller (DC) enforcement mode, which requires all Windows and non-Windows devices to use secure NRPC or to explicitly allow the account by adding an exception for any non-compliant device.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations