Critical Zerologon Flaw Exploited in TA505 Attacks
Microsoft has reported a new campaign utilizing the critical Zerologon vulnerability previously disclosed to the public. Just days after witnessing the nation-state hacking group Mercury was observed leveraging the flaw, the TA505 Russian speaking threat group known for the Dridex banking Trojan and Locky Ransomware has been using the same vulnerability to launch attacks against targets. TA505 is known to target financial organizations and deploy a variety of attack techniques to compromise their victims’ systems.
The Zerologon vulnerability has been a patching priority for most organizations following Microsoft’s release of one planned fix in August, stating that another was forthcoming. The vulnerability can be used when an attacker creates a vulnerable Netlogon secure channel connection using MS-NRPC and avoiding detection. Through this method, the attacker is able to bypass authentication and obtain elevated admin privileges. TA505 is specifically using vulnerability by distributing fake updates that lead to UAC bypass.