Critical Zerologon Flaw Exploited in TA505 Attacks

Microsoft reports a new campaign leveraging the critical Zerologon vulnerability just days after nation-state group Mercury was seen using the flaw.

Microsoft has observed new threat activity exploiting the critical Zerologon vulnerability (CVE-2020-1472. The campaign poses as software updates that connect with known TA505 command-and-control infrastructure, the company reports.
TA505 is a Russian-speaking threat group known for spreading the Dridex banking Trojan and Locky ransomware. While its victim organizations span sizes and industries, its known to target
financial organizations
and use a range of
attack techniques
to achieve its nefarious goals.
This time its weaponizing Zerologon, a vulnerability that has become a
patching priority
since Microsoft
released
one of two planned fixes in August. The flaw exists when an attacker creates a vulnerable Netlogon secure channel connection to a domain controller using MS-NRPC. With this, they dont need to authenticate in order to elevate privileges and become an admin.
TA505, which Microsoft calls Chimborazo, is distributing fake updates that lead to UAC bypass and using wscript[.]exe to run malicious code. To exploit this vulnerability, the attackers abuse MSBuild[.]exe to compile Mimikatz updated with built-in Microsoft functionality, the companys security intelligence team explains in a
series of tweets
on their discovery.
Attacks showing up in commodity malware like those used by the threat actor Chimborazo indicate broader exploitation in the near term, says Microsoft, encouraging readers to update.
This is the second time this week attackers were seen using Zerologon in the wild. Mercury, an Iranian APT group also known as MuddyWater, Static Kitten, and Seedworm,
has been using
the vulnerability in active campaigns over the past two weeks, Microsoft Security Intelligence found. Mercury has historically targeted government organizations, especially those in the Middle East.
Read more details
here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Critical Zerologon Flaw Exploited in TA505 Attacks