Get in Touch Close Menu

Microsoft Netlogon Vulnerability CVE-2020-1472

6 April 2021

In September 2020 details of a critical vulnerability known as ‘ZeroLogon’ were published. This vulnerability affects Windows NetLogon processes and referenced as CVE-2020-1472. The publication coincided with the August 2020 Windows Security Update release, which addressed this vulnerability before it became widely known and distributed among threat actors. Since its announcement, proof-of-concept exploits have been detected, and a module for exploiting CVE-2020-1472 has been added into the Metasploit framework.

Sapphire has been monitoring for this vulnerability since September 2020. An analysis of available threat intelligence has indicated that this vulnerability continues to be exploited in the wild. There has been a significant increase in activity related to ZeroLogon over recent days, with multiple references being identified within threat intelligence to both the vulnerability itself, as well as references to malware capable of exploiting it. This may be due to a Microsoft announcement, confirming that from the 8th of February 2021 enforcement mode will be enabled by default through a security update for this vulnerability; the window of opportunity for attackers is narrowing.

The vulnerability itself lies within the cryptographic mechanisms of the NetLogon process. Any attacker with access to a Domain Controller can leverage available exploits to impersonate any Domain User, including Domain Admin accounts. This allows the elevation of privileges to the highest available within a Windows Domain. We assess that this increases the risk around malicious insiders; specifically, legitimate users who have lower privileged access to Domain Controllers can escalate their privileges.

Since CVE-2020-1472 was announced, Sapphire has created several rules that detect and alert our analysts to any behaviour relating to this vulnerability. This includes rules that correlate vulnerability data with Windows Event IDs on affected products.  Using threat intelligence, we have continued to fine-tune these rules, tailoring our indicators of compromise and identifying when this vulnerability is being exploited. With the vulnerability itself readily identifiable, the ongoing focus has been on identifying and including other indicators; associated malware, associated IP addresses & command and control servers, as well as user behaviour.

We have created threat hunting processes to detect suspicious activity from insider threats. These processes look for anomalous behaviour, with a focus around privilege escalation and unusual user activity.

As is the case with many vulnerabilities being actively exploited, our recommended mitigation is to ensure that all affected server versions are patched with the latest security updates.

Related Articles

Cyber Security Risk Management: A Detailed Guide
20 March 2023

The increased digitisation of our world means the threat of cyberattacks and data breaches continues to grow. No organisation is immune to the risks of cybersecurity threats. In fact, a recent study shows the average time to identify and contain a data breach is 277 days, at an average cost of $4.35 million. That’s why cyber […]

Find Out More
What Is UEBA? User and Entity Behaviour Analytics Guide

Traditional security measures to deal with cybersecurity threats are no longer enough to protect a company’s sensitive data and assets. Therefore, companies need a solution that can detect and respond to potential threats in real time, and that’s where user and entity behaviour analytics (UEBA) comes in. In this article, we’ll explore UEBA in more […]

Find Out More
Web Firewall Application: Securing Online Applications

Application layer attacks or DDoS (Denial of Service Attacks)are the leading cause of breaches. However, a web application firewall (WAF) prevents malicious traffic from accessing web applications. While a web application firewall is not meant to defend against all types of attacks, it is a great tool to have in your arsenal. Let’s look at […]

Find Out More