Cookie Notice

We use cookies to analyse site traffic and optimise your browsing experience. Accepting necessary cookies is required to provide you with a minimum level of service. Read Cookie Statement

Get In Touch
Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
I prefer to be contacted by:
View our privacy policy
Experiencing a breach? Get emergency incident response assistance.
Last updated on

Disclosed in August 2020, the Zerologon vulnerability (CVE-2020-1472) continues to have a significant impact.

With a CVSS score of 10, Zerologon is a privilege escalation vulnerability that can be used to spoof domain controller accounts and hijack domains.

 

A continuing security threat

The ongoing impact of Zerologon was highlighted at Redscan’s latest Ethical Hacking Roundtable event which explored critical vulnerabilities in 2020. The roundtable panel featured Tom Tervoort , who discovered and disclosed Zerologon. The other panellists were George Glass , Head of Threat Intelligence at Redscan, Dr Elizabeth Bruton , Curator of Technology and Engineering at the Science Museum, and Dinis Cruz , CTO and CISO of Glasswall and an OWASP Project Lead.

 

Recognising the risks

2020 has seen the emergence of many serious security vulnerabilities, such as those discovered in F5 BIG IP, Windows DNS and Citrix. However, the consensus of the roundtable panel was that Zerologon is the most underestimated but serious of all the vulnerabilities to emerge in the last 12 months and is likely to continue to be a significant security risk to organisations in 2021.

“Mitigation of the Zerologon flaw is generally relatively easy. But if you are unable to mitigate it or if an organisation is unaware, then it is very problematic. The impact of Zerologon is still very serious.”

Tom Tervoort

George Glass added that, while specialists are very much aware of Zerologon, the response outside the security community is not commensurate with the level of risk it poses. Dinis Cruz sees Zerologon as: “One of the most critical vulnerabilities we’ve had for a while.”

Dr Elizabeth Bruton discussed how the risks of Zerologon and other critical vulnerabilities have grown because of the shift to remote working in response to the coronavirus crisis.

“If there’s one vulnerability that everyone should do something about, this is it. I don’t think it’s being taken seriously enough”

Dinis Cruz

George Glass mentioned the increased threat that Zerologon poses when chained with the numerous edge vulnerabilities disclosed in the last year. He said that this creates a ‘potent mix’, enabling attackers to gain initial access and achieve full domain takeover and deploy ransomware within the space of just a few hours.

Recent examples of threat actors exploiting Zerologon include a recent campaign of attacks on the automotive industry and state-sponsored actors in China attempting to exploit Zerologon in attacks against Japanese companies.

 

How to mitigate the risks of Zerologon

Organisations can mitigate the risks associated with Zerologon by patching vulnerable Windows webservers and by monitoring network and endpoint activity to help identify anomalous malicious network activity. This second control is almost equally important as the first, as organisations may have been compromised before applying a patch.

 

Zerologon Detector

To help organisations detect Zerologon, Redscan Labs has developed a dedicated detection tool. Zerologon Detector analyses Windows event logs for evidence of a compromise and provides a list of IP addresses relating to any malicious inbound and outbound activity identified.

Watch our Zerologon webinar for more information on the vulnerability and how to protect your business