Zerologon exploited by nation-states


According to the Microsoft’s Security Intelligence team, they’ve observed that a nation-state actor has been leveraging CVE-2020-1472, a critical elevation of privilege vulnerability in Netlogon. Researchers named this vulnerability “Zerologon” because of how the exploit abuses the initialisation vectors within the logon process, which are set to zeros rather than being randomly generated.

Rody Quinlan, Security Response Manager, Tenable commented “Given the large availability of working proof of concepts (PoCs), and overall impact from exploitation, it’s unsurprising that known groups are looking to take advantage of this Netlogon vulnerability, dubbed Zerologon.  Exploitation, if successful, allows the complete takeover of the Windows domain — that’s the virtual equivalent of the keys to the kingdom. 

“A quick search on GitHub reveals that there are currently at least 40 repositories containing PoC code relating to this flaw. There are also working exploit scripts that defenders and attackers alike can utilize to exploit this vulnerability.

“This is going to be one of the more favourable vulnerabilities this year for malicious parties and it’s imperative that organizations either patch or take remediative action immediately to prevent systems from being compromised.”