Critical Zerologon Flaw Exploited in TA505 Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical Zerologon Flaw Exploited in TA505 Attacks


Microsoft reports a new campaign leveraging the critical Zerologon vulnerability just days after nation-state group Mercury was seen using the flaw.



Microsoft has observed new threat activity exploiting the critical Zerologon vulnerability (CVE-2020-1472. The campaign poses as software updates that connect with known TA505 command-and-control infrastructure, the company reports.
TA505 is a Russian-speaking threat group known for spreading the Dridex banking Trojan and Locky ransomware. While its victim organizations span sizes and industries, its known to target
financial organizations
and use a range of
attack techniques
to achieve its nefarious goals.
This time its weaponizing Zerologon, a vulnerability that has become a
patching priority
since Microsoft
released
one of two planned fixes in August. The flaw exists when an attacker creates a vulnerable Netlogon secure channel connection to a domain controller using MS-NRPC. With this, they dont need to authenticate in order to elevate privileges and become an admin. 
TA505, which Microsoft calls Chimborazo, is distributing fake updates that lead to UAC bypass and using wscript[.]exe to run malicious code. To exploit this vulnerability, the attackers abuse MSBuild[.]exe to compile Mimikatz updated with built-in Microsoft functionality, the companys security intelligence team explains in a
series of tweets
on their discovery.
Attacks showing up in commodity malware like those used by the threat actor Chimborazo indicate broader exploitation in the near term, says Microsoft, encouraging readers to update.
This is the second time this week attackers were seen using Zerologon in the wild. Mercury, an Iranian APT group also known as MuddyWater, Static Kitten, and Seedworm,
has been using
the vulnerability in active campaigns over the past two weeks, Microsoft Security Intelligence found. Mercury has historically targeted government organizations, especially those in the Middle East.
Read more details
here
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical Zerologon Flaw Exploited in TA505 Attacks