Threat Signal Report

Ryuk Threat Actors Exploiting Windows Zerologon Vulnerability (CVE-2020-1472)

Description

FortiGuard Labs is aware of reports of active exploitation of the Windows ZeroLogon vulnerability seen by security researchers on TheDFIRReport. To make matters worse, the reports highlight that the attackers behind the Ryuk ransomware, which was one of the most prolific ransomware variants of last year, are incorporating this vulnerability into their arsenal. It also shows that the Ryuk attackers have changed their approach and are accomplishing their feat in a much shorter time frame.

Previously, the typical modus operandi of the attackers behind Ryuk was to exploit known SMB vulnerabilities or brute force RDP connections and then to "live off the land." That term refers to using commonly available system tools that are already preinstalled on a machine to move laterally within a victim network so as not to cause a SIEM or endpoint to red flag potentially suspicious activity by a threat actor.

After various requirements were satisfied, the attackers would then strike out of the blue and leave an organization's IT staff puzzled as to how they were compromised. The fact that there was no specific time frame or apparent evidence leading up to when the attack was executed only added to the confusion. It would come down to when the attackers felt it was the right time to launch an attack. There was no preset time frame.


What are the Specifics of the Attack?

The latest development reveals that the Ryuk attackers are now using a different attack vector besides SMB/RDP to get in - spearphishing. Once the victim opens up the malicious attachment, the BazarLoader malware starts to inject into various system processes and spawn command shell processes. From there it starts to map the domain and then exploits the Windows Zerologon vulnerability to reset the password of the main domain controller. The attackers used a combination of SMB file transfers and WMI executions of Cobalt Strike beacons. The attack also uses PowerShell Active Directory module to perform more domain discovery via lateral movement. Furthering along their objective for reconnaisance, the threat actors pivoted from the primary domain controller in to backup servers. From here the attackers were able to deploy Ryuk from the backup servers, to servers, then finally to workstations.

This latest development highlights that the Ryuk actors have adopted a different and faster approach, and have lessened the time to attack to within hours.


Why is this Important?

This is one of the first examples of a well known and prolific ransomware group adding and utilizing the Windows Zerologon vulnerability to their arsenal. It is also an example that has reduced the attack time frame from weeks/months to hours, due to the easier entry of attack.


What is the Windows ZeroLogon Vulnerability?

The Windows ZeroLogon vulnerability (CVE-2020-1472) allows a remote unauthenticated attacker to control the targeted machine at the domain administrator level. Essentially, an attacker who has access at the domain administrator level can add/delete users, perform data exfiltration or simply sabotage the entire network. This vulnerability has a CVSS score of 10, which is the highest rating.

Fortinet customers running the latest IPS definitions are protected against this vulnerability.


Any Suggestions or Mitigations?

FortiGuard Labs suggests that organizations update and apply the patch released in August for the Windows ZeroLogon vulnerability. As this is an easily exploitable vulnerability and also now is being actively incorporated by attackers, it is imperative to apply the patch immediately. Please refer to the APPENDIX section for a link to the vendor page.

FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.

In the meantime, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


What is the Status of AV and IPS Coverage?

For publicly available samples, Customers running the latest AV definitions are protected by the following signature:

W32/Agent.BFQL!tr

Customers running the latest IPS definitions are protected by the following signature:

MS.Windows.Server.Netlogon.Elevation.of.Privilege


MITRE ATT&CK

Spearphishing Attachment

ID: T1193

Tactic: Initial Access

Platform: Windows


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.