This week, Microsoft announced that it had discovered Zerologon attacks apparently being carried out by TA505, a prominent cybercrime organisation linked to Russia.
The Zerologon attacks it has identified include bogus app upgrades linked to the command and control ( C&C) framework believed to be affiliated with TA505, which the organisation monitors as CHIMBORAZO, according to Microsoft.
False updates are designed to circumvent the authentication function of the user account control (UAC) in Windows and misuse the Windows Script Host (wscript.exe) tool to run malicious scripts.
Microsoft said, “To bypass the flaw, attackers misuse MSBuild.exe to compile modified Mimikatz with built-in ZeroLogon features.”
We’re seeing more activity leveraging the CVE-2020-1472 exploit (ZeroLogon). A new campaign shrewdly poses as software updates that connect to known CHIMBORAZO (TA505) C2 infrastructure. The fake updates lead to UAC bypass and use of wscript.exe to run malicious scripts.
— Microsoft Security Intelligence (@MsftSecIntel) October 6, 2020
“Attacks occurring in commodity malware like those used by the threat actor CHIMBORAZO suggest wider exploitation in the near term,” the tech giant said.
TA505, also known as Evil Corp, has been operating for almost a decade and is mostly known for banking trojans and ransomware operations. This is not the first time the group has used Windows vulnerabilities in its attacks, and several similarities between campaigns undertaken by TA505 and North Korean hackers have recently been discovered by researchers.
On September 24, Microsoft first alerted users of malicious actors leveraging the Zerologon flaw. Earlier this week, after finding that the vulnerability had already been abused by an Iranian state-sponsored danger player, it released another alert.
Windows Server is affected by the Zerologon vulnerability, officially monitored as CVE-2020-1472 and defined as a problem of privilege escalation, and it has been classified critical. In August, it was patched by Microsoft with its monthly protection patches.
The vulnerability allows an attacker who has access to the network of the targeted company without the need for passwords to breach domain controllers.
Microsoft has told customers that only the first step of fixing the Zerologon vulnerability is to instal the patches issued in August. In February 2021, the second process, which will include having domain controllers in compliance mode, will begin.
The DHS released an emergency order a few weeks after the flaw was patched by Microsoft, ordering government departments to deploy the available patches immediately.