The ZeroLogon vulnerability would allow a malicious agent with a foothold on your internal network to essentially become Domain Admin with just one click. This scenario is possible when communication with the Domain Controller can be performed from the attacker’s viewpoint. These attacks are leveraging a WordPress FileManager Plugin vulnerability already exploited in the wild.
CVE-2020-25213: The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. CVE-2020-25213 was exploited in the wild in August and September 2020.
Threat actors have been abusing this vulnerability in File-Manager plugin that allows the execution of arbitrary code on the server-side (RCE vulnerability). Figure 1 below emphasizes the problem here explained.
By September 10, over 2.6 million sites had been attacked. Meanwhile, the CVE-2020-25213 that affects the WP-Manager WordPress plugin still continues to be exploited by criminals.
So far, this flaw has been exploited in multiple attacks, like phishing campaigns, to implant backdoors to steal data, credit card information, or sensitive information (PII), to add cryptominers (java scripts) to the source-code inside specific pages (e.g., index.php); and to escalate on the internal network and abusing of Zerologon vulnerability to attack Domain Controllers.
Criminals have taken advantage of web vulnerabilities to obtain a privileged shell in internal networks. Network reconnaissance has been carried out via lateral movement, Domain Controllers have been identified and explored with Zerologon. This vulnerability is critical and is based on an encryption flaw, and allows changing the account machine password to empty.
Finally, the Domain Controller NTML hashes can then be exfiltrated remotely. Note that the machine password must be restored quickly, otherwise the DCs will not synchronize and this can break the network.
Step 1 of installing updates released August 11, 2020 or later will address security issue in CVE-2020-1472 for Active Directory domains and trusts, as well as Windows devices. This release: