TA 505 ! Exploits Zerologon

Microsoft in september released a statement on Netlogon vulnerability that persisted in windows server active directory . Tracked this Vulnerability as CVE 2020-1472 elevation of privilege,The flaw exists when an attacker creates a vulnerable Netlogon secure channel connection to a domain controller using MS-NRPC Microsoft released a patch in Aug 2020 . Urged the users to patch it immediately

As expected , Exploiting this Vulnerability gone wild. Earlier this month Iranian APT group Mercury known to be muddywater exploited actively . Now another APT group known to be exploiting it. TA505 APT a Russian group known for spreading Tridex malware and locky Ransomware

TA505, which Microsoft calls Chimborazo, is distributing fake updates that lead to UAC bypass and using wscript[.]exe to run malicious code. To exploit this vulnerability, the attackers abuse MSBuild[.]exe to compile Mimikatz updated with built-in Microsoft functionality, Attacks showing up in commodity malware like those used by the threat actor Chimborazo indicate broader exploitation in the near term,”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s