Russian Cybercrime group is exploiting Zerologon flaw, Microsoft warns

4 years ago 163
BOOK THIS SPACE FOR AD
ARTICLE AD

Microsoft has uncovered Zerologon attacks that were allegedly conducted by the infamous TA505 Russia-linked cybercrime group.

Microsoft spotted a series of Zerologon attacks allegedly launched by the Russian cybercrime group tracked as TA505, CHIMBORAZO and Evil Corp.

Microsoft experts spotted the Zerologon attacks involving fake software updates, the researchers noticed that the malicious code connected to command and control (C&C) infrastructure known to be associated with TA505.

TA505 hacking group has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

The TA505 group was involved in campaigns aimed at distributing the Dridex banking Trojan, along with LockyBitPaymerPhiladelphiaGlobeImposter, and Jaff ransomware families.

Security experts from cyber-security firm Prevailion reported that TA505 has compromised more than 1,000 organizations.

The malicious updates employed in the Zerologon attacks are able to bypass the user account control (UAC) security feature in Windows and abuse the Windows Script Host tool (wscript.exe) to execute malicious scripts.

We’re seeing more activity leveraging the CVE-2020-1472 exploit (ZeroLogon). A new campaign shrewdly poses as software updates that connect to known CHIMBORAZO (TA505) C2 infrastructure. The fake updates lead to UAC bypass and use of wscript.exe to run malicious scripts.

— Microsoft Security Intelligence (@MsftSecIntel) October 6, 2020

The experts explained that the threat actors abuse MSBuild.exe to compile Mimikatz updated with built-in ZeroLogon functionality.  

To exploit the vulnerability, attackers abuse MSBuild.exe to compile Mimikatz updated with built-in ZeroLogon functionality.

— Microsoft Security Intelligence (@MsftSecIntel) October 6, 2020

“Attacks showing up in commodity malware like those used by the threat actor CHIMBORAZO indicate broader exploitation in the near term.” states Microsoft.

This is the second alert published by Microsoft related to Zerologon attack in the wild. Early this week the IT giant published a post and a series of tweets warning of cyber attacks exploiting the Zerologon vulnerability carried out by the Iran-linked APT group known as MuddyWater, aka Mercury.

MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78

— Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020

The CVE-2020-1472 Zerologon flaw is an elevation of privilege that resides in the Netlogon. The Netlogon service is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

An attacker could exploit the vulnerability to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

An attacker could also exploit the flaw to disable security features in the Netlogon authentication process and change a computer’s password on the domain controller’s Active Directory.

At the end of September, DHS CISA issued an emergency directive to tells government agencies to address the Zerologon vulnerability (CVE-2020-1472) by Monday.

Pierluigi Paganini

(SecurityAffairs – hacking, Zerologon)

Read Entire Article