The Zerologon vulnerability is a cryptographic flaw in the Windows Netlogon service that could enable attacks against Active Directory domain controllers. These are dangerous attacks, given that a successful exploit could give a threat actor credentialed control over an entire domain.
Netherlands-based security company Secura disclosed the vulnerability to Microsoft, which patched it in August; a second Microsoft patch is expected early next year to completely close the loop on this vulnerability. It did not take long, however, for proof-of-concept exploits to appear online given the severity of the vulnerability, and soon, state actors such as Energetic Bear and Cicada were allegedly making use of the flaw in attacks against targets worldwide.
In this episode of the Nexus Podcast, Tom Tervoort, a senior security specialist at Secura, joins Claroty Editorial Director Mike Mimoso to discuss his research and "accidental" discovery of this vulnerability in a critical Windows authentication service. Zerologon is so-named because the flaw allows an attacker to set the initialization vector during logon to a static set of zeros, replacing what should be a dynamic, random number.
A risk to industrial enterprises exists from Zerologon as well, given that Active Directory can be used as a main authentication repository for distributed control systems and other Windows-based systems connecting to operational technology (OT) networks. Using this avenue for access to industrial control systems could jeopardize process oversight.
Other highlights from this conversation include:
Tom's Pwnie Award, given at Black Hat EU, for the best cryptographic attack
An in-depth conversation about the vulnerability
Use of Zerologon by APT groups
Secondary attacks using stolen domain credentials
Difficulties in finding and exploiting Windows vulnerabilities
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
