A Wide Range of Threat Groups Pick ZeroLogon

A Windows vulnerability dubbed ZeroLogon (CVE-2020-1472), with a 10/10 CVSS score, has been spurring a wave of attacks since its emergence in August. Recently, several threats actors were seen abusing the ZeroLogon vulnerability to target public and private sector organizations.

Involvement of APTs

Recently, TA505 (aka Chimborazo) and MuddyWater (aka Mercury) groups were observed gaining direct access to the domain controller via Zerologon vulnerability. 
  • TA505 had deployed a campaign using the ZeroLogon vulnerability with fake updates to connect to the threat actor’s C2 infrastructure and to gain increased privileges.
  • The threat actor, moreover, used legit tools, such as Windows Script Host (WScript.Exe), to execute scripts in various programming languages; the Mimikatz tool to exploit code for the ZeroLogon vulnerability; and Microsoft Build Engine (MSBuild.Exe) for building applications.
  • A few days ago, Microsoft had discovered that an Iranian state-sponsored hacker group, dubbed MuddyWater, was also exploiting the Zerologon vulnerability.

A trending subject around the globe

The attacks were first detected in September, after around one week of proof-of-concept being published.
  • In the first week of October, hackers exploited a WordPress flaw (CVE-2020-25213) in the WordPress WP-Manager plugin to leverage the Zerologon vulnerability and attack domain controllers.
  • According to DHS, the government election systems face threat from active Zerologon exploits. However, in mid-September, the DHS CISA released an emergency directive for government agencies, urging them to patch this extremely dangerous vulnerability by September 21.
  • Microsoft repeatedly issued a support bulletin urging all Windows Server administrators to install the security update for CVE-2020-1472.

The closing statement

The patch was released in August 2020 but, as per reports, not many organizations implemented it. Several warnings about the critical privilege escalation vulnerability are still being sent to network admins as the cybercriminals continue to exploit it.