Cloned Boy
Professional
- Messages
- 1,228
- Reaction score
- 1,069
- Points
- 113
Zerologon (CVE-2020-1472) is a critical vulnerability in the Windows Server Netlogon protocol discovered in 2020. It allowed hackers to compromise Active Directory (AD) domain controllers in seconds without a password.
Want another vulnerability analyzed? For example, Log4Shell — how a Java library bug shook the internet?
				
			 What is Zerologon?
 What is Zerologon?
Technical essence of the vulnerability
- Where? In the Netlogon protocol (used for authentication in Windows domains).
- Problem: Cryptography error (AES-CFB8 with incorrect IV check).
- Result: It is possible to forge a request and obtain domain administrator rights.
How did it work?
- The hacker sent a special request to the domain controller.
- The server did not verify the authenticity of the request due to an encryption bug.
- The attacker gained full control over the domain (including all computers and accounts).
 Who used Zerologon?
 Who used Zerologon?
1. Cybercriminals
- Ransomware groups (Conti, Ryuk) hacked corporate networks and encrypted data.
- Financial predators stole logins from banking systems.
2. State hackers
- Chinese APT groups have attacked US government networks.
- Russian hackers (such as Cozy Bear) used Zerologon for stealth access.
3. Script-kiddie
Due to the ease of exploitation (there is a ready-made PoC in Metasploit), the vulnerability has become widespread. How was the vulnerability discovered and fixed?
 How was the vulnerability discovered and fixed?
1. Who found it?
- Researchers from Secura (Netherlands) in August 2020.
2. Microsoft's reaction
- August 2020: Urgent patch (but many have not updated).
- February 2021: Forced shutdown of vulnerable version of Netlogon.
3. Difficulty in correction
- Old devices (printers, IoT) broke after the update.
- Some companies are still vulnerable (according to CISA).
 Zerologon Consequences
 Zerologon Consequences
1. Global hacks
- Hospitals, banks, government agencies were attacked via Zerologon.
- Losses: Tens of millions of dollars (due to ransomware).
2. Security Changes
- Active Directory now requires strong authentication.
- Cyber insurance has become more expensive for companies with legacy systems.
3. A lesson for the industry
- Even "innocent" protocols can be dangerous.
- Automatic update is a must.
 What did this case teach us?
 What did this case teach us?
- One line of code can break all security.
- Old systems = prime target for hackers.
- Even Microsoft isn't always quick to fix holes.
Want another vulnerability analyzed? For example, Log4Shell — how a Java library bug shook the internet?
 
	 
 
		 
 
		