About three weeks I detected an attacker exploiting Zerologon on my personal honeypot:

There is more activity today, which shows proof of attackers using Zerologon for remote code execution on random internet endpoints.

At 11:01UTC, IP address 124.70.137.246 arrived in BluePot and tried exploiting Zerologon.

Azure Sentinel tipped me off:

When CVE-2020–10713 goes wrong.

Unbootable.

A few days ago, the internet received news that billions of devices are impacted by BootHole, a vulnerability that theoretically could allow an attacker with existing authenticated administrative access to a device to tamper with SecureBoot.

It’s absolutely valid research, although a fairly low priority vulnerability for many threat models.

Kevin Beaumont

Everything here is my personal work and opinions.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store