A Wide Range of Threat Groups Pick ZeroLogon | Cyware Alerts


A Windows vulnerability dubbed ZeroLogon (CVE-2020-1472), with a 10/10 CVSS score, has been spurring a wave of attacks since its emergence in August. Recently, several threats actors were seen abusing the ZeroLogon vulnerability to target public and private sector organizations.

Involvement of APTs

Recently, TA505 (aka Chimborazo) and MuddyWater (aka Mercury) groups were observed gaining direct access to the domain controller via Zerologon vulnerability. 

  • TA505 had deployed a campaign using the ZeroLogon vulnerability with fake updates to connect to the threat actor’s C2 infrastructure and to gain increased privileges.
  • The threat actor, moreover, used legit tools, such as Windows Script Host (WScript.Exe), to execute scripts in various programming languages; the Mimikatz tool to exploit code for the ZeroLogon vulnerability; and Microsoft Build Engine (MSBuild.Exe) for building applications.
  • A few days ago, Microsoft had discovered that an Iranian state-sponsored hacker group, dubbed MuddyWater, was also exploiting the Zerologon vulnerability.

A trending subject around the globe

The attacks were first detected in September, after around one week of proof-of-concept being published.
  • In the first week of October, hackers exploited a WordPress flaw (CVE-2020-25213) in the WordPress WP-Manager plugin to leverage the Zerologon vulnerability and attack domain controllers.
  • According to DHS, the government election systems face threat from active Zerologon exploits. However, in mid-September, the DHS CISA released an emergency directive for government agencies, urging them to patch this extremely dangerous vulnerability by September 21.
  • Microsoft repeatedly issued a support bulletin urging all Windows Server administrators to install the security update for CVE-2020-1472.

The closing statement

The patch was released in August 2020 but, as per reports, not many organizations implemented it. Several warnings about the critical privilege escalation vulnerability are still being sent to network admins as the cybercriminals continue to exploit it.





Source link

Recent articles

Sopra Steria Hit by New Ryuk Variant

French IT services giant Sopra Steria has said it will take weeks to return to normal after a serious ransomware attack forced key...

The Font of Misinformation and Lies at Trump Campaign Rallies

Thank you very — this is great. Hello. How are you? Thank you, everybody. Thank you very much. Thank you. Thank you. And...

RAAF F/A-18A ‘Classic’ Hornet makes final journey to museum | News

A Boeing F/A-18A ‘Classic’ Hornet formerly operated by the Royal Australian Air Force (RAAF) has made its way by road to the Australian...

Jack Ma is making history again with the Ant IPO, and getting even more wealthy while doing it

Financial tech company Ant Group's share sale in Hong Kong and Shanghai — the biggest in history — will catapult Ma to within...

Leave a reply

Please enter your comment!
Please enter your name here