Sopra Steria …. Ryuked.. Services down

IT services provider Sopra Steria has confirmed that it was hit by a “new version” of the Ryuk ransomware that was “previously unknown to antivirus software providers and security agencies”.

The French-headquartered company detected the cyberattack on 20 October and made it public the following day.

Rreports pointed to hackers using Ryuk ransomware to target Sopra Steria’s Active Directory infrastructure. This saw some IT systems encrypted and payment demanded to unlock them.

Sopra Steria said it has made the virus signature of the new Ryuk ransomware strain available to “all antivirus software providers” so that they can update their defences.

Sopra Steria said that the ransomware attack was launched “a few days before it was detected”, which meant the virus was contained to a “limited part of the Group’s infrastructure”.

It has been revealed that Ryuk operators exploited the Netlogon vulnerability CVE 2020-1472 which hits the domain controllers and exfilterates the data. Microsoft released the patch for this Exploit in August

The company, which provides IT outsourcing services to the NHS and Home Office, said it has not identified any leaked data or damage to client networks.

It may take few weeks for services to up across geographies.

TA 505 ! Exploits Zerologon

Microsoft in september released a statement on Netlogon vulnerability that persisted in windows server active directory . Tracked this Vulnerability as CVE 2020-1472 elevation of privilege,The flaw exists when an attacker creates a vulnerable Netlogon secure channel connection to a domain controller using MS-NRPC Microsoft released a patch in Aug 2020 . Urged the users to patch it immediately

As expected , Exploiting this Vulnerability gone wild. Earlier this month Iranian APT group Mercury known to be muddywater exploited actively . Now another APT group known to be exploiting it. TA505 APT a Russian group known for spreading Tridex malware and locky Ransomware

TA505, which Microsoft calls Chimborazo, is distributing fake updates that lead to UAC bypass and using wscript[.]exe to run malicious code. To exploit this vulnerability, the attackers abuse MSBuild[.]exe to compile Mimikatz updated with built-in Microsoft functionality, Attacks showing up in commodity malware like those used by the threat actor Chimborazo indicate broader exploitation in the near term,”

Zero Logon actively expolited by Iran Mercury APT

Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.

The advanced persistent threat (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically targeted government victims in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services.

“MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,”.

Microsoft released a patch for the Zerologon vulnerability (CVE-2020-1472) as part of its Augus Patch Tuesday security updates. The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). As previous reported, the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.

Then, earlier in September, the stakes got higher for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on Github.

Microsoft’s alert also comes a week after Cisco Talos researchers warned of a spike in exploitation attempts against Zerologon.

“One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution,” said Microsoft in an earlier analysis. “Following the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the Zerologon exploit.”

Microsoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an “enforcement phase.”

Zerologon ! Goes Wild

Threat actors are activly exploiting the Windows Server Zerologon vulnerability in recent attacks. Microsoft strongly recommends all Windows administrators to install the security updates.

As part of the August 2020 Patch Tuesday security updates, Microsoft fixed a critical vulnerability (CVE-2020-1472) in Netlogon. The problem exists due the fact that application does not properly impose security restrictions in Netlogon. A remote non-authenticated attacker can use MS-NRPC to connect to a domain controller to obtain domain administrator access.

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks. Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat,” warned Microsoft.

Microsoft also presented three samples that were used in the attacks to exploit the ZeroLogon vulnerability. The samples are .NET executables with the filename ‘SharpZeroLogon.exe’.

patch immediately before it’s becomes late