Get in Touch Close Menu


6 April 2021

In September 2020 details of a critical vulnerability known as ‘ZeroLogon’ were published. This vulnerability affects Windows NetLogon processes and referenced as CVE-2020-1472. The publication coincided with the August 2020 Windows Security Update release, which addressed this vulnerability before it became widely known and distributed among threat actors. Since its announcement, proof-of-concept exploits have been detected, and a module for exploiting CVE-2020-1472 has been added into the Metasploit framework.

Sapphire has been monitoring for this vulnerability since September 2020. An analysis of available threat intelligence has indicated that this vulnerability continues to be exploited in the wild. There has been a significant increase in activity related to ZeroLogon over recent days, with multiple references being identified within threat intelligence to both the vulnerability itself, as well as references to malware capable of exploiting it. This may be due to a Microsoft announcement, confirming that from the 8th of February 2021 enforcement mode will be enabled by default through a security update for this vulnerability; the window of opportunity for attackers is narrowing.

The vulnerability itself lies within the cryptographic mechanisms of the NetLogon process. Any attacker with access to a Domain Controller can leverage available exploits to impersonate any Domain User, including Domain Admin accounts. This allows the elevation of privileges to the highest available within a Windows Domain. We assess that this increases the risk around malicious insiders; specifically, legitimate users who have lower privileged access to Domain Controllers can escalate their privileges.

Since CVE-2020-1472 was announced, Sapphire has created several rules that detect and alert our analysts to any behaviour relating to this vulnerability. This includes rules that correlate vulnerability data with Windows Event IDs on affected products.  Using threat intelligence, we have continued to fine-tune these rules, tailoring our indicators of compromise and identifying when this vulnerability is being exploited. With the vulnerability itself readily identifiable, the ongoing focus has been on identifying and including other indicators; associated malware, associated IP addresses & command and control servers, as well as user behaviour.

We have created threat hunting processes to detect suspicious activity from insider threats. These processes look for anomalous behaviour, with a focus around privilege escalation and unusual user activity.

As is the case with many vulnerabilities being actively exploited, our recommended mitigation is to ensure that all affected server versions are patched with the latest security updates.

Related Articles

22 April 2021

In April, Sapphire threat intelligence resources identified a sophisticated ransomware campaign utilising the Cring malware and leveraging vulnerability (CVE-2018-13379), identified in 2019 affecting Fortinet VPN Servers. This allows a threat actor to connect to the VPN appliance with no authentication and download session files containing usernames and passwords in clear text. Though this vulnerability has […]

Find Out More
10 April 2021

VULNERABILITY ASSESSMENT VS PENETRATION TESTING To protect your business from hackers, it is essential to know what level of risk your business is at. It must then be decided whether a penetration test or a vulnerability assessment is appropriate for you. It is important to know the difference between the two and the varying levels […]

Find Out More
9 April 2021

Sapphire is looking for a Security Operations Centre Engineer to build and grow our Managed Services solutions and technologies in Glasgow. The role is for an experienced, enthusiastic individual to join our Security Operations Centre and lead the delivery of our managed services. The position focuses on customer deployments and our SOC infrastructure’s operation, whilst […]

Find Out More