TA 505 ! Exploits Zerologon

Microsoft in september released a statement on Netlogon vulnerability that persisted in windows server active directory . Tracked this Vulnerability as CVE 2020-1472 elevation of privilege,The flaw exists when an attacker creates a vulnerable Netlogon secure channel connection to a domain controller using MS-NRPC Microsoft released a patch in Aug 2020 . Urged the users to patch it immediately

As expected , Exploiting this Vulnerability gone wild. Earlier this month Iranian APT group Mercury known to be muddywater exploited actively . Now another APT group known to be exploiting it. TA505 APT a Russian group known for spreading Tridex malware and locky Ransomware

TA505, which Microsoft calls Chimborazo, is distributing fake updates that lead to UAC bypass and using wscript[.]exe to run malicious code. To exploit this vulnerability, the attackers abuse MSBuild[.]exe to compile Mimikatz updated with built-in Microsoft functionality, Attacks showing up in commodity malware like those used by the threat actor Chimborazo indicate broader exploitation in the near term,”