Threat actors, TA505 and MERCURY, exploiting ZeroLogon to attack and gain account control privileges
Microsoft recently warned that more cybercriminals have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks.
Threat actor TA505, a financially motivated threat group that has been active since at least 2014, is now exploiting this vulnerability. The group is known for frequently changing malware and driving global trends in criminal malware distribution, according to MITRE. In a tweet, Microsoft Security Intelligence said, "A new campaign shrewdly poses as software updates that connect to known CHIMBORAZO (TA505) C2 infrastructure. The fake updates lead to UAC bypass and use of wscript.exe to run malicious scripts. To exploit the vulnerability, attackers abuse MSBuild.exe to compile Mimikatz updated with built-in ZeroLogon functionality. Attacks showing up in commodity malware like those used by the threat actor CHIMBORAZO indicate broader exploitation in the near term."