ZeroLogon is the name given to an extremely threatening vulnerability that was disclosed and patched by Microsoft in August 2020. The vulnerability received the CVE-2020-1472 identifier and was assigned the maximum severity rating of 10. The exploit takes advantage of weak cryptographic algorithms used in the Netlogon authentication process. Through the bug, threat actors can disable security measures found in the Netlogon authentication process, change the password for the Active Directory, which is a database containing all of the computers connected to a domain and the passwords of the domain controller, as well as spoof the identity of any machine on the network when performing authentication for the domain controller.
ZeroLogon has a massive limitation; therefore, it cannot be used to take over Windows servers from outside of their network. The threat actors have first to establish a foothold, but if they are able to do so, ZeroLogon allows them to compromise the Windows domain completely in a matter of seconds.
ZeroLogon may have been patched, but hacker groups are still using it in their attack campaigns. In fact, a massive campaign targeting companies in the automotive, pharmaceutical, and engineering entities has been unearthed by infosec researchers. The campaign has been attributed to the Advanced Persistent Threat (APT) group Cicada, also known as APT10, Stone Panda and Cloud Hopper. According to the US government, Cicada's operations are being sponsored by China.
Historically, the group's preferred region is Japan, and the newly discovered campaign is not an exception. Many of Cicada's old methods, techniques, and procedures are on full display in this latest operation, but several new additions also exist. The exploitation of the ZeroLogon vulnerability has not been seen before by this particular APT. Cicada also has developed and deployed a brand-new strand of malware called Backdoor.Hartip.
The goal of the campaign is most likely data theft and cyberespionage. Information being exfiltrated to the servers of the hackers includes corporate records, expense information, meeting transcripts, HR documents, etc.
Organizations have had several months to patch the ZeroLogon vulnerability, but those who have not done so by now should really reconsider their cybersecurity priorities.