Zerologon is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers (DC), which are now installed in most local networks of large-scaled enterprises and organizations in Vietnam. This will enable a hacker to impersonate any computer, including the root domain controller.
According to Bkav Corp., Zerologon (CVE-2020-1472) has a 10/10 in the Common Vulnerability Scoring System (CVSS – a standard for evaluating the severity of a software weakness). This means hackers can take control of a DC server and DC services without the need to log in.
Hackers first attack a certain personal computer or server that is connected to a DC server. From this victim, they then attack the DC server via Zerologon vulnerability.
As shared by Nguyen Van Cuong from Bkav, since DC is only a platform to serve other systems, it receives less attention in patch updates. This is, unfortunately, an excellent chance for hackers as most systems using DC at the moment still have this flaw.
With around 50 percent of servers currently running Windows Server operation system, Vietnam has become an easy prey to hackers.
Bkav reported that the first victim in the nation was found. Therefore, Bkav experts asked that server administrators urgently update the patch for their OS. Any system with eEye SOC installed will be automatically protected from Zerologon attacks.