Researchers have uncovered a major ZeroLogon ransomware exploit that targets a critical vulnerability in Microsoft’s Active Directory that allows attackers to gain access to domain controllers without needing any credentials. It also targets a vulnerability in Palo Alto Networks firewall appliances running an outdated PAN-OS software. This exploit allowed attackers to execute arbitrary code with root privileges, bypassing authentication and gaining a foothold inside the network. Finally, the group behind this is RansomHub who are well known ransomware actors.
You can read details here.
Martin Jartelius, CISO at Outpost24, provided the following comments specifically related to the Microsoft part of this:
“The ZeroLogon vulnerability (CVE-2020-1472) continues to be a major concern, especially in Active Directory (AD) environments, which are often seen as a platform that “just works.” The vulnerability was patched by Microsoft in August 2020, but for the exploit to be effective, organizations must have either failed to patch or deliberately re-enabled insecure protocols in their Group Policy Objects (GPO). Enforcement of secure channels by AD controllers didn’t begin until Q1 2021, but since then, it has been actively enforced.
“It’s difficult to victim-blame when it comes to zero-day exploits or supply chain breaches, but when an organization is hit by a vulnerability that has been patched for over four years, it’s clear that someone within the team has knowingly taken on a significant risk. The kill chain doesn’t begin with this exploit—it starts with initial access. Organizations must focus on hardening their external attack surface and training staff to reduce the likelihood of breaches. Leaving systems unpatched or intentionally vulnerable is a serious security misstep.
“A critical point: if your domain controllers (DCs) are still running Windows Server 2008 R2 SP1 or earlier, this vulnerability remains unpatched unless you have an Extended Security Update (ESU) license, which only applies when running in Azure, not on-prem. While rare, we still encounter customers running unsupported versions of Windows. Active Directory, being the “keys to the kingdom,” must be regularly maintained and patched to avoid exposure to preventable exploits.
Finally, Windows Server 2012 and 2012 R2 will reach the final year of their ESU coverage in October 2026. Organizations should start planning upgrades now to ensure continued protection.
“The broader lesson is the importance of proactive patching, secure configurations, and ongoing risk management to avoid unnecessary exposure.”
Along with Martin’s advice, I would have a look at this if you are a Palo Alto customer and take immediate action if required. That way you limit your exposure.
Like this:
Like Loading...
Related
This entry was posted on February 13, 2025 at 12:25 pm and is filed under Commentary with tags Microsoft, Palo Alto. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
RansomHub Has A Ransmware ExploitThat Leverages Microsoft And Palo Alto Vulnerabilities To Pwn You
Researchers have uncovered a major ZeroLogon ransomware exploit that targets a critical vulnerability in Microsoft’s Active Directory that allows attackers to gain access to domain controllers without needing any credentials. It also targets a vulnerability in Palo Alto Networks firewall appliances running an outdated PAN-OS software. This exploit allowed attackers to execute arbitrary code with root privileges, bypassing authentication and gaining a foothold inside the network. Finally, the group behind this is RansomHub who are well known ransomware actors.
You can read details here.
Martin Jartelius, CISO at Outpost24, provided the following comments specifically related to the Microsoft part of this:
“The ZeroLogon vulnerability (CVE-2020-1472) continues to be a major concern, especially in Active Directory (AD) environments, which are often seen as a platform that “just works.” The vulnerability was patched by Microsoft in August 2020, but for the exploit to be effective, organizations must have either failed to patch or deliberately re-enabled insecure protocols in their Group Policy Objects (GPO). Enforcement of secure channels by AD controllers didn’t begin until Q1 2021, but since then, it has been actively enforced.
“It’s difficult to victim-blame when it comes to zero-day exploits or supply chain breaches, but when an organization is hit by a vulnerability that has been patched for over four years, it’s clear that someone within the team has knowingly taken on a significant risk. The kill chain doesn’t begin with this exploit—it starts with initial access. Organizations must focus on hardening their external attack surface and training staff to reduce the likelihood of breaches. Leaving systems unpatched or intentionally vulnerable is a serious security misstep.
“A critical point: if your domain controllers (DCs) are still running Windows Server 2008 R2 SP1 or earlier, this vulnerability remains unpatched unless you have an Extended Security Update (ESU) license, which only applies when running in Azure, not on-prem. While rare, we still encounter customers running unsupported versions of Windows. Active Directory, being the “keys to the kingdom,” must be regularly maintained and patched to avoid exposure to preventable exploits.
Finally, Windows Server 2012 and 2012 R2 will reach the final year of their ESU coverage in October 2026. Organizations should start planning upgrades now to ensure continued protection.
“The broader lesson is the importance of proactive patching, secure configurations, and ongoing risk management to avoid unnecessary exposure.”
Along with Martin’s advice, I would have a look at this if you are a Palo Alto customer and take immediate action if required. That way you limit your exposure.
Share this:
Like this:
Related
This entry was posted on February 13, 2025 at 12:25 pm and is filed under Commentary with tags Microsoft, Palo Alto. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.