Multiple Threat Groups are Exploiting the Microsoft Zerologon Vulnerability

Microsoft has issued a warning following the discovery of multiple threat groups using exploits for the Zerologon vulnerability – CVE-2020-1472 – in the core authentication component of Active Directory of Windows Server and the Windows Netlogon Remote Protocol (MS-NRPC).

The flaw is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using MS-NRPC. An attacker could exploit the flaw and gain access to Active Directory domain controllers with administrative privileges.

Microsoft released a patch to correct the flaw on August 2020 Patch Tuesday; however, many organizations have yet to apply the patch and are vulnerable to attack.

The Iranian nation-state advanced persistent threat group Mercury APT has been exploiting the flaw over the past two weeks. Mercury APT – aka MuddyWater/SeedWorm/Static Kitten – typically targets government organizations for espionage purposes.

An unnamed adversary was discovered to be using an exploit for a SharePoint vulnerability (CVE-2019-0604) to remotely attack unpatched servers, then implants a web shell for persistent access and code execution, then deploys Cobalt Strike and explores the network perimeter and targets domain controllers using the Zerologon exploit.

The TA505 threat group is also using a Zerologon exploit. A campaign is being run that uses fake software updates to make a connection to their command and control infrastructure. They then elevate privileges on the target system and run malicious scripts using Windows Script Host (WScript.Exe). The attackers compile a version of the Mimikatz post-exploit tool using MSBuild.exe, which incorporate exploit code for the Zerologon vulnerability, allowing them to takeover domain controllers.

The Zerologon vulnerability received the maximum CVSS score of 10 out of 10 and several warnings have been issued to apply the patch promptly to prevent exploitation. Multiple threat groups are now actively exploiting the flaw with further groups also likely to start using the exploit, so it is now essential that the patch is applied.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news