Disclosed in August 2020, the Zerologon vulnerability (CVE-2020-1472) continues to have a significant impact.
With a CVSS score of 10, Zerologon is a privilege escalation vulnerability that can be used to spoof domain controller accounts and hijack domains.
A continuing security threat
The ongoing impact of Zerologon was highlighted at Redscan’s latest Ethical Hacking Roundtable event which explored critical vulnerabilities in 2020. The roundtable panel featured Tom Tervoort , who discovered and disclosed Zerologon. The other panellists were George Glass , Head of Threat Intelligence at Redscan, Dr Elizabeth Bruton , Curator of Technology and Engineering at the Science Museum, and Dinis Cruz , CTO and CISO of Glasswall and an OWASP Project Lead.
Recognising the risks
2020 has seen the emergence of many serious security vulnerabilities, such as those discovered in F5 BIG IP, Windows DNS and Citrix. However, the consensus of the roundtable panel was that Zerologon is the most underestimated but serious of all the vulnerabilities to emerge in the last 12 months and is likely to continue to be a significant security risk to organisations in 2021.
“Mitigation of the Zerologon flaw is generally relatively easy. But if you are unable to mitigate it or if an organisation is unaware, then it is very problematic. The impact of Zerologon is still very serious.”
George Glass added that, while specialists are very much aware of Zerologon, the response outside the security community is not commensurate with the level of risk it poses. Dinis Cruz sees Zerologon as: “One of the most critical vulnerabilities we’ve had for a while.”
Dr Elizabeth Bruton discussed how the risks of Zerologon and other critical vulnerabilities have grown because of the shift to remote working in response to the coronavirus crisis.
“If there’s one vulnerability that everyone should do something about, this is it. I don’t think it’s being taken seriously enough”
George Glass mentioned the increased threat that Zerologon poses when chained with the numerous edge vulnerabilities disclosed in the last year. He said that this creates a ‘potent mix’, enabling attackers to gain initial access and achieve full domain takeover and deploy ransomware within the space of just a few hours.
Recent examples of threat actors exploiting Zerologon include a recent campaign of attacks on the automotive industry and state-sponsored actors in China attempting to exploit Zerologon in attacks against Japanese companies.
How to mitigate the risks of Zerologon
Organisations can mitigate the risks associated with Zerologon by patching vulnerable Windows webservers and by monitoring network and endpoint activity to help identify anomalous malicious network activity. This second control is almost equally important as the first, as organisations may have been compromised before applying a patch.
To help organisations detect Zerologon, Redscan Labs has developed a dedicated detection tool. Zerologon Detector analyses Windows event logs for evidence of a compromise and provides a list of IP addresses relating to any malicious inbound and outbound activity identified.
Watch our Zerologon webinar for more information on the vulnerability and how to protect your business