Second Zerologon attacker seen exploiting internet honeypot
By Kevin Beaumont
Published: 2020-10-16 · Archived: 2026-04-05 15:35:45 UTC
About three weeks I detected an attacker exploiting Zerologon on my personal honeypot:
There is more activity today, which shows proof of attackers using Zerologon for remote code execution on
random internet endpoints.
At 11:01UTC, IP address 124.70.137.246 arrived in BluePot and tried exploiting Zerologon.
Azure Sentinel tipped me off:
Press enter or click to view image in full size
(times in UK time, i.e. UTC+1).
Press enter or click to view image in full size
https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef
Page 1 of 2

Upon examining logs we can see the problems:
Press enter or click to view image in full size
That is an IP in Huawei Cloud Service, according to Shodan:
Source: https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef
https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef
Page 2 of 2