Threat actor TA505, a financially motivated threat group that has been active since at least 2014, is now exploiting this vulnerability. The group is known for frequently changing malware and driving global trends in criminal malware distribution, according to MITRE. In a tweet, Microsoft Security Intelligence said, "A new campaign shrewdly poses as software updates that connect to known CHIMBORAZO (TA505) C2 infrastructure. The fake updates lead to UAC bypass and use of wscript.exe to run malicious scripts. To exploit the vulnerability, attackers abuse MSBuild.exe to compile Mimikatz updated with built-in ZeroLogon functionality. Attacks showing up in commodity malware like those used by the threat actor CHIMBORAZO indicate broader exploitation in the near term."
Matt Walmsley, EMEA Director at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, says, “The exploitation and use of “ZeroLogon” in attack toolkits, as well as being seen in the wild, is no surprise given the vulnerability is so easy to use and so powerful. It allows a threat actor to pivot from gaining network access to full blown domain admin without needing any credentials, and this is alarming. Even after the release of the patch and multiple government agencies urgently advising its application, it represents a significant and widespread risk."
"Aside from patching, security teams should pay close attention to systems which can report when user accounts or hosts are being used to access network services and objects they don’t normally access. For example, if a user has been granted Domain Admin credentials, that user account and that host would then potentially access network services they have never accessed before,” Walmsley adds.
A week ago Microsoft also warned that MERCURY, Iranian state-sponsored hackers known for targeting NGOs and humanitarian organizations, had been using the ZeroLogon exploit in active campaigns over the last two weeks of September.
David “moose” Wolpoff, career hacker and CTO at Randori, says, “ZeroLogon is a serious bug that abuses unpatched domain controllers. The good news is that we don't generally see domain controllers on the internet, and most NGOs I’ve met are well aware of the effects this type of bug can have on their practical security and are able to take swift action. In this case, patches for ZeroLogon have been out since August. It’s my hope that the most vulnerable organizations will have already patched by now, because in my capacity as a red teamer, if I’ve had access to a corporate network for two weeks, I will have found a way to get onto a domain controller regardless of the use of ZeroLogon. It’s a convenient shortcut that ideally has a limited shelf-life."
moose adds, "ZeroLogon is useful for an attacker in a network that is trying to get more access. They can add this capability to their arsenal of attack tools and may gain more access in some places, but it’s likely they will get beaten by the patch by the organizations that know they’re vulnerable. However, if a company has an internet-facing domain controller, a bug with this level of severity must be patched in less than two weeks. Arbitrarily abusing a domain controller is uncommon - bugs like this get hyped because it's easily understandable as opposed to most attacks that end with domain admin access that take more steps.”