ZeroLogon Ransomware Exploit Active Directory Vulnerability To Gain Domain Controller Access
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A significant threat has emerged in the form of the ZeroLogon ransomware exploit. This exploit targets a critical vulnerability in Microsoft’s Active Directory, specifically affecting domain controllers.
The vulnerability, known as CVE-2020-1472, allows attackers to gain unauthorized access to domain controllers without needing any credentials which dubbed the name “ZeroLogon.”
The ZeroLogon exploit takes advantage of a flaw in the Netlogon Remote Protocol (MS-NRPC), which is used for authentication and authorization within Active Directory environments.
Cybersecurity researchers at Group-IB detected that this protocol is crucial for domain controllers to manage and authenticate user and machine accounts across the network.
Besides this, the RansomHub surfaced in early February 2024 as a new Ransomware-as-a-Service (RaaS) operation, emerging right after ALPHV shut down its infrastructure.
.webp)
RansomHub ransom message (Source – Group-IB)
ALPHV’s closure followed the backlash from a major attack on Change Healthcare.
Amid law enforcement crackdowns on ALPHV and LockBit ransomware groups, RansomHub seized the opportunity to roll out its own partnership program.
CVE-2020-1472 Vulnerability
.webp)
Schema upload (Source – Group-IB)
.webp)
Sample schema (Source – Group-IB)
The exploitation process begins with the attacker gaining initial network access, often through phishing or social engineering tactics.
.webp)
Schema critical asset access (Source – Group-IB)
Once inside, they use tools like the ZeroLogon exploit to send a crafted Netlogon message to the domain controller, resetting its password and allowing access without credentials.
With control over the domain controller, the attacker can execute commands, install malware, or deploy ransomware across the network.
While specific exploit code is not provided here due to security concerns, organizations can use tools like PowerShell scripts to monitor for suspicious Netlogon activity.
For instance, monitoring event logs for unusual authentication attempts can help detect potential exploitation.
# Example PowerShell script to monitor event logs for suspicious activity Get-WinEvent -FilterHashtable @{ LogName = 'Security' ID = 4624 # Logon event } | Where-Object {$_.Properties[8].Value -eq '0'} # Filter for logons with no credentials
To protect against the ZeroLogon exploit, organizations should ensure all domain controllers are updated with the latest security patches from Microsoft, monitor network traffic for suspicious activity—especially around domain controllers—and implement additional security measures like multi-factor authentication and network segmentation to limit malware spread.
However, staying informed and proactive is essential to mitigating such vulnerabilities. The ZeroLogon exploit is a serious threat that requires immediate attention from IT professionals and cybersecurity teams.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
ZeroLogon Ransomware Exploit Active Directory Vulnerability To Gain Domain Controller Access
Author: Tushar Subhra DuttaA significant threat has emerged in the form of the ZeroLogon ransomware exploit. This exploit targets a critical vulnerability in Microsoft’s Active Directory, specifically affecting domain controllers.
The vulnerability, known as CVE-2020-1472, allows attackers to gain unauthorized access to domain controllers without needing any credentials which dubbed the name “ZeroLogon.”
The ZeroLogon exploit takes advantage of a flaw in the Netlogon Remote Protocol (MS-NRPC), which is used for authentication and authorization within Active Directory environments.
Cybersecurity researchers at Group-IB detected that this protocol is crucial for domain controllers to manage and authenticate user and machine accounts across the network.
Besides this, the RansomHub surfaced in early February 2024 as a new Ransomware-as-a-Service (RaaS) operation, emerging right after ALPHV shut down its infrastructure.
RansomHub ransom message (Source – Group-IB)ALPHV’s closure followed the backlash from a major attack on Change Healthcare.
Amid law enforcement crackdowns on ALPHV and LockBit ransomware groups, RansomHub seized the opportunity to roll out its own partnership program.
CVE-2020-1472 Vulnerability
- Description: The vulnerability allows an attacker to bypass authentication and gain administrative access to a domain controller. This is achieved by sending a specially crafted Netlogon message to the domain controller, which can reset the password of the domain controller account without knowing the current password.
Schema upload (Source – Group-IB)- Impact: Once an attacker gains access to a domain controller, they can control the entire Active Directory environment. This includes creating new user accounts, modifying existing ones, and even deploying malware across the network.
Sample schema (Source – Group-IB)The exploitation process begins with the attacker gaining initial network access, often through phishing or social engineering tactics.
Schema critical asset access (Source – Group-IB)Once inside, they use tools like the ZeroLogon exploit to send a crafted Netlogon message to the domain controller, resetting its password and allowing access without credentials.
With control over the domain controller, the attacker can execute commands, install malware, or deploy ransomware across the network.
While specific exploit code is not provided here due to security concerns, organizations can use tools like PowerShell scripts to monitor for suspicious Netlogon activity.
For instance, monitoring event logs for unusual authentication attempts can help detect potential exploitation.
# Example PowerShell script to monitor event logs for suspicious activity Get-WinEvent -FilterHashtable @{ LogName = 'Security' ID = 4624 # Logon event } | Where-Object {$_.Properties[8].Value -eq '0'} # Filter for logons with no credentials
To protect against the ZeroLogon exploit, organizations should ensure all domain controllers are updated with the latest security patches from Microsoft, monitor network traffic for suspicious activity—especially around domain controllers—and implement additional security measures like multi-factor authentication and network segmentation to limit malware spread.
However, staying informed and proactive is essential to mitigating such vulnerabilities. The ZeroLogon exploit is a serious threat that requires immediate attention from IT professionals and cybersecurity teams.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
