Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ZeroLogon vulnerability (CVE-2020-1472)

AjishlalAjishlal Cybersecurity Overlord ✭✭✭

ZeroLogon vulnerability (CVE-2020-1472) allows Privilege Escalation attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

The flaw was addressed in Microsoft’s August 2020 security updates. However, the risk went higher when four PoCs were released and published publicly.

Recently, Microsoft warned about multiple malicious activities by MuddyWater using Zerologon vulnerabilitiy in active campaigns over the last 2 weeks.

MuddyWater an Iranian threat group that has primarily targeted Middle Eastern nations including United Arab Emirates.

Recommendations

It is highly recommended to ensure all your servers are patched and up to date, for further details about ZeroLogon mitigation steps, please find the official notes release by Microsoft

1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

2. https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#Updates%20section

Initiate threat hunting activity for Event ID : 5805 (SYSTEM) or 4624 followed by 4742 as both will be triggered when the exploit is executed.

Category: Water Cooler
Reply
Sign In or Register to comment.