Introduction
Vulnerability management is a popular cybersecurity strategy prioritizing known weaknesses. Much cybersecurity analysis focuses on a particular threat at a specific point in time, covering a narrow window of activity as a result of constantly changing tactics, techniques, and procedures (TTPs). This type of focus, while important, is not well aligned with a long-term vulnerability management strategy. Data from intelligence analysis of a single incident still has a small half-life because TTPs employed by the next cyberattack are likely to have changed from those used in previous attacks. Intelligence analysis of how TTPs change in samples weaponizing a vulnerability across a time range can bolster long-term security improvement by providing analysts with data that better illustrates how risk evolves and what types of threats to unpatched systems an organization is more likely to face.
This analysis examines CVE-2020-1472, a critical vulnerability disclosed on August 18, 2020, which was almost certain to draw a variety of malicious cyberactivity (Appendix A). The vulnerability affects Microsoft environments across a wide array of industries, making CVE-2020-1472 ideal for threat analysis and identifying risks to information networks. The analysis found malware with the highest capability emerging shortly after the vulnerability is disclosed. As time goes on, the risk to unpatched systems remains high from a variety of threats, but the malware still leveraging CVE-2020-1472 after one year posed less risk to the average organization.
CVE-2020-1472
CVE-2020-1472 (Zerologon) is a remote authentication vulnerability that targets the cryptographic authentication configuration within Windows Netlogon channels. The vulnerability allows attackers to gain increased privileges by abusing a custom cryptographic feature of NTP present in certain implementations of the NTLM network protocol (1). The Most High-risk Cyberattack Scenario for this CVE involves using the sequence to change the password on a network administration system, such as a domain controller or an administrator account.
The AES-CFB8 cipher that Netlogon custom implements contains a weakness in the generation schema for an initial random number where certain values used to generate encryption are not properly randomized. A special 8-bit value can be obtained through brute-force discovery and used to compromise the encryption and authenticate the attacker, producing a trusted session without credentials to a vulnerable system.
To exploit the vulnerability an attacker must already have access to the same network and initiate a TCP connection to the target system. If the 8-bit challenge is compromised, the attacker can send spoofed Netlogon messages to the target system. First, encryption transport is disabled so that Netlogon transmits the data across the channel without further encoding. Then attackers can spoof authentication to take advantage of access to built-in features the protocol provides.
Analysis and Timeline of TTPs Developed to Leverage the Zerologon Vulnerability Post Public Release
Samples are referenced using roman numerals and presented in full at the end of the report
Samples in the First 30 Days
Earliest Cyberattacks Using Zerologon Are Paired with Malware Providing Lateral Movement and Deeper Network Compromise
The first waves of malware observed in mid-September 2020 leveraging CVE-2020-1472 exploitation are designed for reconnaissance and lateral movement (I). Malware reported (2, 3) creates risk via further pivoting and exploitation to find holes and expand upon the initial compromise. One attack used SharePoint vulnerability CVE-2019-0604 for initial remote access (2). The first publicly shared proof-of-concept (PoC) exploit for the CVE on the clearnet was published to Github on September 14, 2020, one day after Microsoft’s malware report (4). EclecticIQ analysts observe similar web shells and Cobalt Strike payloads also in the sample (VII) from an attack occurring much later, with a very similar Kill-Chain. The timing of one PoC directly precedes the first wave of malware after September 2020 (4). Four PoCs in total were eventually circulated after the report by Secura (5).
Samples at 30-90 Days
Tailored Malware is Developed for the Vulnerability Days After Reports of Initial Attacks
Shortly after the initial wave of observed malware, known APT (Advanced Persistent Threats) groups adopt CVE-2020-1472 into many toolsets that appear both tailored as well as designed for broader mass exploitation. TA-505, a financially motivated cybercriminal group possibly operating out of Russia, was observed using a custom version of Mimikatz with Zerologon in new attacks that is very similar to sample (II) and is reported in (6). Mimikatz was almost certainly used for further internal lateral movement post-Zerologon exploitation. TA505 used Zerologon to deploy Clop ransomware against the University of Maastricht, Netherlands (7).
Several APT Groups Demonstrate Using Zerologon in New Toolsets
On October 9, 2020, a group known as Muddywater reportedly leveraged Zerologon in new attacks (6). APT Muddywater, believed to operate out of Iran (8), leveraged Zerologon and the Mimikatz tool discussed above to deliver Ryuk ransomware in new attacks (9, 12). Separately, the city of Austin TX, USA was very likely targeted using the Zerologon vulnerability to gain widespread access to the city’s network (13) by Berserk Bear – an APT group with reported ties to Russia (12).
Chaining Multiple CVEs Within a Single Cyberattack Kill-Chain is Common Practice for APTs
Attacks were observed using Zerologon and other known vulnerabilities to compromise US election systems, among other targets (14). Other exploits paired with Zerologon commonly targeted VPN systems and network gateway devices. CVE-2018-13379 and CVE-2020-15505 were reported in a cyberattack along with Zerologon to compromise networks. CVE-2018-13379 is a vulnerability providing initial access through path traversal to an unauthenticated, remote attacker. can exploit the initial vulnerability by sending a specially crafted HTTP request containing a code sequence to a vulnerable Fortigate SSL VPN. This initial access allows the attacker to then perform discovery for a vulnerable Netlogon channel.
APTs Linked to Multiple Nations Leverage Zerologon Within Their Toolsets
Further reporting attributes APT-10 (10), a group the US government associates with China, to Zerologon cyberattacks in November 2020. APT-10 expands the use of Zerologon to target many countries (13) including the US, UK, France, Belgium, Germany, UAE, India, Thailand, Vietnam, Japan, Hong Kong, and the Philippines. Alongside Zerologon for privilege escalation, APT-10 used a variety of living-off-the-land tools for lateral movement including Vertutil, Adfind, Csvde, Ntdsutil, WMIExec, and PowerShell.
Undetected APT Activity Very Likely Occurs Earlier Than Reported
The APT-linked Kill Chains described a month post disclosure demonstrate well-developed APT activities with a thorough understanding of the vulnerability’s capability. This is evident in attacks involving both widespread (opportunistic) and tailored (highly targeted) cyberattacks. APT exploitation is not observed earlier because either reporting is slow to catch up with real-world activity, or APTs stockpile exploits and wait to deploy them against vulnerabilities when exploit participation increases sufficiently that attribution becomes difficult. APTs may also spend initial gap-time testing and preparing the vulnerability for tailored use cases, which could also explain why the activity is not picked up earlier.
Samples at 90-180 Days
Zerologon Begins Transition to Malware-as-a-Service as it Passes Through More Developers
After about five months the first hints of ‘generic’ malware samples appear using bolt-on automated exploitation modules for Zerologon (III). Exploitation modules in the form of scripts allow the vulnerability to be easily adopted by many malware families. One of the signs of generic malware development is reporting the same sample in disparate attacks (IV). Detecting individual modules separate from other malware also forecasts a transition to high-volume cyberattacks (V). The same sample (V) is also present in a report associated with a different sample (VI), where the same Zerologon exploitation module is reported with Cobalt Strike and Qbot as primary commodity malware payloads
EclecticIQ Analysts Observe Stealthy Activity Giving Way to Noisier Higher-Volume Attacks as More Threat Actors Adopt the Vulnerability
Multiple ransomware syndicates incorporate the vulnerability following earlier APT activity. The use of ransomware in the lifecycle of a vulnerability typically marks an inflection point of more widespread adoption in threat actor communities. Malware of this period, like ransomware, shifts toward financial objectives. It is very likely that the Zerologon exploits adopted earlier by ransomware syndicates provide precursors to plug-in modules that are later adapted and developed out into other malware-as-a-service (MaaS) families (VI, VII). This leads to increasing cyberattacks EclecticIQ analysts observe during this phase based on samples involving the vulnerability. Analysts observed one such file (XII) that uses CVE-2020-2472 to provide for payload injection into svchost.exe, a standard Windows service, but no further payload was associated.
Ryuk ransomware is observed in a cyberattack on a hospital in December 2020 (16), followed by Netwalker ransomware in early 2021 (17, 18). The Zerologon privilege escalation helps speed up ransomware attacks allowing a rapid vector to acquire administrator control over entire networks. In January 2021, the US government linked the Netwalker syndicate to an individual developer in Canada (19). Ryuk has reported ties to Russia-based cybercriminals (14).
The variants comprising commodity malware families tend to be operated by threat actors of less skill, but the malware introduces risk through diversification of specific capabilities
Trickbot and BazarLoader using ZeroLogon signals the vulnerability has moved to mainstream commodity malware (20, 21). The adoption of the vulnerability into multiple malware families after observing exploitation by multiple APT groups provides evidence that threat actors continue to find Zerologon effective with time. As a result of adoption and adaptation, cyberattacks using Zerologon at this point are very likely approaching a relatively high point in volume over the two years analyzed.
Samples at 180-360 Days
Automation Increases as Botnets and Maas Variants Leveraging Zerologon Continue Its Transition to High-Volume Attacks
Malware contains increased automation and less functionality. The objective for this common malware (MaaS/commodity) tends to be financial, whereas APTs and ransomware syndicates observed earlier also design malware for data theft and destruction (V). Within the same campaign activity cluster as sample (VI), Qbot and Cobalt Strike are again observed at this time, with Cobalt Strike used to administer the connection post Qbot compromise. Cobalt Strike was one initial malware observed with Zerologon after the first public disclosure by Microsoft. Adding new malware versions with the same vulnerability after many months is evidence of the continued effectiveness and popularity of CVE-2020-1472. Although ransomware and APT attacks have not stopped, new samples during this period indicate threat actors still exploiting zerologon do so increasingly using malware not unique to the attacks and with a more linear financial objective.
Creation of New Malware Slows After Microsoft Releases Further Mitigation
On February 9, 2021, Microsoft released a further update to the vulnerable remote procedure call feature, creating a server-side policy to enforce higher standards for the encryption implementation used for Netlogon authentication. The same day, a sample is uploaded to VirusTotal with Zerologon being leveraged to deploy crypto-jacking bots (VII). The sample demonstrates how malware presents a continual risk despite patch management.
Despite evidence of continued malware development, the second mitigation event for CVE-2020-1472 is followed by a significant decrease of newly designed malware samples almost a year after the initial disclosure. EclecticIQ analysts observe far fewer new malware with timestamps and reported cyberattacks matching this period. This gap in evidence very likely reflects the slowing of malware development according to the samples presented. Generic trojans (MaaS) are now the most common type of malware contributing to cyberattacks (22, 23).
Samples After 360 Days
Testing Tools Can Aid Malicious or Benevolent Discovery
The remainder of 2021 experiences a lull in new samples and very likely indicates the second mitigation event in February 2021 was reasonably effective. One of the last TTPs identified in 2021 is a file reported to be a red team tool developed by FireEye and which was stolen in a related SolarWinds hack (VIII). The last date of analysis for one of the tools was May 9, 2022. Microsoft reports the same file (VIII) is malware and was reported in IOCs belonging to the initial wave of attacks 1.5 years earlier (2).
Samples After 720 Days (2022 Activity)
Commodity Trojans (MaaS) and Password Stealers Now Dominate Cyberattacks
Multiple samples remain active almost two years from the original vulnerability publication. Analysis of samples on VirusTotal indicates at least 40 variants with high rates of malicious detection and exploiting Zerologon appear active in 2022 (X, XI, 22).
Additional Testing Tools Detected Contain IOCs indicating Use by Either Whitehat or Blackhat Actors
Another Linux-based testing tool specific to Zerologon and different from the FireEye tool is found with later timestamps (IX). TrendMicro identified one of the same testing tool files (X) linked to a reported cyberattack using the same Impacket variant on April 29, 2022 (23). The Discovery of this additional tooling is very likely indicative of sustained popularity to identify remaining vulnerable systems for possible cyberattack using Zerologon. The remaining systems are not likely to be of high value at this point because of mitigation efforts over time. EclecticIQ analysts reasonably assume these instances are not covered by policy-mandated patching requirements and are thus more likely to be attached to less critical systems.
Find full details on all samples here
Conclusion
Changes to TTPs Used in Cyberattacks Over the Lifespan of a Vulnerability Have Important Implications for an Organization’s Long-Term Security Posture
This analysis highlights how initial threats and capabilities tied to Zerologon were very high following initial disclosure. Malware then gradually grew more specific with linear objectives that shifted from spying and proprietary information theft to financial gain, as more and more vulnerable systems were patched. After a further point, commodity malware takes over as the primary malware leveraging the vulnerability in a spray-and-pray approach. This lifecycle may continue for many years.
The resulting intelligence data can be used for a more effective iteration of cyber defense in a vulnerability-centric security program. The trends observed across all threats for CVE-2020-1472 are more likely to remain relevant for similar vulnerabilities in the near term. Organizations that already adopt vulnerability-centric security postures can use this type of analysis to direct more efficient resources to counter TTPs. The pyramid of pain says it is more difficult for threat actors to change TTPs compared to IOCs. A structured analysis of more TTPs across many cyberattacks sharing infrastructure (Zerologon) produces intelligence with a longer half-life, better preparing organizations that already adopt vulnerability-centric security postures.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.
References
- https://www.secura.com/uploads/whitepapers/Zerologon.pdf
- https://www.microsoft.com/security/blog/2020/11/30/Zerologon-is-now-detected-by-microsoft-defender-for-identity/
- https://darktrace.com/blog/zerologon-exploit-detected-within-24-hours-of-vulnerability-notice
- https://github.com/dirkjanm/CVE-2020-1472
- https://threatpost.com/Zerologon-attacks-microsoft-dcs-snowball/159656/
- https://blog.qualys.com/vulnerabilities-threat-research/2021/02/01/unpacking-the-fireeye-breach-start-here-first
- https://measuredinsurance.com/blog/Zerologon-the-aftermath/
- https://attack.mitre.org/groups/G0069/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://attack.mitre.org/groups/G0045/
- https://theintercept.com/2020/12/17/russia-hack-austin-texas/
- https://www.cisa.gov/uscert/ncas/alerts/aa20-283a
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
- https://blog.malwarebytes.com/videobytes/2020/12/videobytes-ryuk-ransomware-targeting-us-hospitals/)
- https://blogs.blackberry.com/en/2021/03/Zerologon-to-ransomware
- https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware
- https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html
- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/the-story-of-Zerologon/
- https://www.virustotal.com/gui/file/f63e17ff2d3cfe75cf3bb9cf644a2a00e50aaffe45c1adf2de02d5bd0ae35b02
- https://www.virustotal.com/gui/file/1450f7c85bfec4f5ba97bcec4249ae234158a0bf9a63310e3801a00d30d9abcc/content
- https://www.bleepingcomputer.com/news/microsoft/microsoft-hackers-using-zerologon-exploits-in-attacks-patch-now/
- https://www.virustotal.com/gui/search/tag%253Acve-2020-1472/files
- https://www.trendmicro.com/en_us/research/22/g/analyzing-penetration-testing-tools-that-threat-actors-use-to-br.html