This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test it.

Press F to pay respects to MSRC (it’s not their fault)

Recently, Jonas tweeted something interesting. What Jonas didn’t realise at the time is Windows 10 also has the same behavior when System Protection aka Shadow Volumes is enabled, which should be the default in a majority of cases.

This is caused by BUILTIN\Users having read access to c:\Windows\System32\config\SAM.

Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers.

Four hours ago, an apparent auto update in the product has delivered REvil ransomware.

By design, it has administrator rights down to client systems — which means that Managed Service Providers who are infected then infect their client’s systems.

Infected systems look like this:

How this first unfolded

Initial entry was using a zero day vulnerability in Kaseya VSA. This was CVE-2021–30116 (details have not been entered into…

zhiniang peng tweeted out a proof of concept exploit and explainer recently, and then quickly deleted it. This exploit and discussion contained an unpatched zero day in all supported and Extended Security Update verrsions of Windows OS.

Unfortunately by this had already been forked on Github by then… and the latest June 2021 security patches do not actually fix the issues. There appears to have been some kind of miscommunication or other error between Zhiniang and Microsoft.

@edwardzpeng’s writeup tags the issues as CVE-2021–1675, which Microsoft themselves changed to Remote Code Execution on 21st June 2021.

Unfortunately this patch…

I’ve talked about ransomware and extortion attacks on organizations for about a decade. I recently spent a year at Microsoft in Threat Intelligence in Redmond, which included tracking ransomware gangs. I’ve been on the front lines of cybersecurity at the coal face — I am again now — for decades, and the reality is: Houston, we have a (big) problem.

We are rebuilding entire economies around technology, while having some fundamental issues reducing foundations to quicksand.

What we are seeing currently is a predictable crisis, which hasn’t yet near peaked. I’m not sure people generally understand the situation yet. The…

Eclypsium and AdvIntel recently published some superb research on a Trickbot module, PermaDLL (they’re dubbing Trickboot), which allows the troublesome malware to read and — theocratically — tamper with UEFI firmware, the bit of software that loads before the operating system (in this case, Windows).

It was added to Trickbot several months ago.

There’s a couple of elements I’d like to pull out here to help defending organisations.

Why modifying firmware would matter

UEFI loads before the operating system, so in theory they could maintain access regardless of security controls

The big but…

There is no evidence Trickbot has modified UEFI firmware. They appear to be reading values…

About three weeks I detected an attacker exploiting Zerologon on my personal honeypot:

There is more activity today, which shows proof of attackers using Zerologon for remote code execution on random internet endpoints.

At 11:01UTC, IP address arrived in BluePot and tried exploiting Zerologon.

Azure Sentinel tipped me off:

(times in UK time, i.e. UTC+1).

So the title there is exactly as it reads — a few weeks ago I set up a honeypot vulnerable to CVE-2020–1472 aka ZeroLogon.

It is an Active Directory server with port 135 (MS-RPC), 445 (SMB) and RPC high ports available, with everything else closed down, updated to July 2020’s security patches, plugged into Azure Sentinel, my work’s cloud native security incident events management tool.

When CVE-2020–10713 goes wrong.


A few days ago, the internet received news that billions of devices are impacted by BootHole, a vulnerability that theoretically could allow an attacker with existing authenticated administrative access to a device to tamper with SecureBoot.

It’s absolutely valid research, although a fairly low priority vulnerability for many threat models.

Unfortunately, the patches are causing an awful lot of systems to fail to boot entirely.

Pikachu is surprised that everything you read on Twitter isn’t true.

Last year 8chan — the human cesspit of the internet — was booted as a customer from Cloudflare.

8chan hosted all kinds of problematic content, from multiple shooters who murdered people, to allegations of being a pedophile network.

Cue yesterday, when 8chan owner CodeMonkeyZ tweeted:

Alerting on potential DNS service exploitation

Honey in a pot.


In my personal honeypot, BluePot, I’ve built out detection for a wide variety of situations — from BlueKeep exploitation to SMB MS17–010 abuse that lead to WannaCry.

I recently expanded this out to CVE-2020–1350, a DNS vulnerability detailed a few weeks ago. BluePot has detected no active exploitation in the wild, outside of my initial testing.

It is possible to alert on DNS exploitation attempts for this vulnerability using Azure Sentinel, on Windows Server 2008 and above. The process for implementing this involves enabling DNS debug logs (if not already enabled), adding a Custom Log and adding alert rules.


Kevin Beaumont

Everything here is my personal work and opinions.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store