Zerologon is a critical privilege escalation vulnerability targeting Domain Controller (DC) servers used in most network systems of large organizations and enterprises in Viet Nam. After a successful exploit, an attacker can take control of all accounts in the systems, including administrator accounts. According to Bkav, one Vietnamese enterprise has become a victim of Zerologon.
Zerologon (CVE-2020-1472) received a maximum severity score, allowing an unauthenticated attacker to gain control of DC servers and completely compromise all Active Directory identity services. The exploit is performed by sending a large number of authentication requests to the DC server via the NetLogon protocol, with the credentials containing only 0 (Zero) values. The authentication is successful if the appropriate random key is selected by the server. The probability of this key is 1/256.
According to Bkav researchers, the attack scenario will include two steps. Initially, a hacker takes control of a computer or server which can be a VPN server, a user computer or a web server, etc. connected to the DC server. Then, the hacker attacks the DC by exploiting the Zerologon vulnerability.
“DC is the backbone of other systems, therefore it is not patched regularly. It means that most of systems deploying DC are vulnerable to this flaw. With 50% of servers using Windows Server operating system, it will be a huge risk for network systems not only in Viet Nam but all over the world”, said Nguyen Van Cuong, the leader of research group.
Mr. Cuong noted that the first victim of the Zerologon attack in Viet Nam has been identified. Hackers have successfully penetrated the system and fully controlled all user accounts of this company.
Due to the flaw’s critical severity, administrators are recommended to urgently check and update patches for their systems. They can view the details, follow the instruction, check and fix the bug here. Particularly, the systems installed security operations center eEye SOC will be automatically protected against Zerologon attacks.