CyberNews Briefs

Critical Zerologon Flaw Exploited in TA505 Attacks

Microsoft has reported a new campaign utilizing the critical Zerologon vulnerability previously disclosed to the public. Just days after witnessing the nation-state hacking group Mercury was observed leveraging the flaw, the TA505 Russian speaking threat group known for the Dridex banking Trojan and Locky Ransomware has been using the same vulnerability to launch attacks against targets. TA505 is known to target financial organizations and deploy a variety of attack techniques to compromise their victims’ systems.

The Zerologon vulnerability has been a patching priority for most organizations following Microsoft’s release of one planned fix in August, stating that another was forthcoming. The vulnerability can be used when an attacker creates a vulnerable Netlogon secure channel connection using MS-NRPC and avoiding detection. Through this method, the attacker is able to bypass authentication and obtain elevated admin privileges. TA505 is specifically using vulnerability by distributing fake updates that lead to UAC bypass.

Read More: Critical Zerologon Flaw Exploited in TA505 Attacks

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.