Microsoft has observed new threat activity exploiting the critical Zerologon vulnerability (CVE-2020-1472. The campaign poses as software updates that connect with known TA505 command-and-control infrastructure, the company reports.
TA505 is a Russian-speaking threat group known for spreading the Dridex banking Trojan and Locky ransomware. While its victim organizations span sizes and industries, it's known to target financial organizations and use a range of attack techniques to achieve its nefarious goals.
This time it's weaponizing Zerologon, a vulnerability that has become a patching priority since Microsoft released one of two planned fixes in August. The flaw exists when an attacker creates a vulnerable Netlogon secure channel connection to a domain controller using MS-NRPC. With this, they don't need to authenticate in order to elevate privileges and become an admin.
TA505, which Microsoft calls Chimborazo, is distributing fake updates that lead to UAC bypass and using wscript[.]exe to run malicious code. To exploit this vulnerability, the attackers abuse MSBuild[.]exe to compile Mimikatz updated with built-in Microsoft functionality, the company's security intelligence team explains in a series of tweets on their discovery.
"Attacks showing up in commodity malware like those used by the threat actor Chimborazo indicate broader exploitation in the near term," says Microsoft, encouraging readers to update.
This is the second time this week attackers were seen using Zerologon in the wild. Mercury, an Iranian APT group also known as MuddyWater, Static Kitten, and Seedworm, has been using the vulnerability in active campaigns over the past two weeks, Microsoft Security Intelligence found. Mercury has historically targeted government organizations, especially those in the Middle East.
Read more details here.