What gets to me the most about this particular vulnerability is that while its existence is owed to a fundamental misuse of a cryptographic function, the attack also exploits a handful of other security flaws that shouldn't be a thing anymore:
Since computer accounts are not locked after invalid login attempts, we can simply try a bunch of times
Timestamp should contain the current Posix time, and is included in the call by the client along with the authenticator. It turns out, however, that the server does not actually place many restrictions on what this value can be (which makes sense, otherwise clock skew would become very troublesome), so we can simply pretend that it’s January 1st, 1970 and also set this value to 0.
It turns out that setting empty passwords for a computer is not forbidden at all
This script will successfully extract all user hashes from the domain through the Domain Replication Service (DRS) protocol. This includes domain administrator hashes (including the ‘krbtgt’ key, which can used to create golden tickets), that could then be used to login to the DC (using a standard pass-the-hash attack)