Long Term Analysis Illustrates How Risk Posed by a Vulnerability Changes as Exploits Develop Over Time

Introduction

Vulnerability management is a popular cybersecurity strategy prioritizing known weaknesses. Much cybersecurity analysis focuses on a particular threat at a specific point in time, covering a narrow window of activity as a result of constantly changing tactics, techniques, and procedures (TTPs). This type of focus, while important, is not well aligned with a long-term vulnerability management strategy. Data from intelligence analysis of a single incident still has a small half-life because TTPs employed by the next cyberattack are likely to have changed from those used in previous attacks. Intelligence analysis of how TTPs change in samples weaponizing a vulnerability across a time range can bolster long-term security improvement by providing analysts with data that better illustrates how risk evolves and what types of threats to unpatched systems an organization is more likely to face.

This analysis examines CVE-2020-1472, a critical vulnerability disclosed on August 18, 2020, which was almost certain to draw a variety of malicious cyberactivity (Appendix A). The vulnerability affects Microsoft environments across a wide array of industries, making CVE-2020-1472 ideal for threat analysis and identifying risks to information networks. The analysis found malware with the highest capability emerging shortly after the vulnerability is disclosed. As time goes on, the risk to unpatched systems remains high from a variety of threats, but the malware still leveraging CVE-2020-1472 after one year posed less risk to the average organization.

CVE-2020-1472

CVE-2020-1472 (Zerologon) is a remote authentication vulnerability that targets the cryptographic authentication configuration within Windows Netlogon channels. The vulnerability allows attackers to gain increased privileges by abusing a custom cryptographic feature of NTP present in certain implementations of the NTLM network protocol (1). The Most High-risk Cyberattack Scenario for this CVE involves using the sequence to change the password on a network administration system, such as a domain controller or an administrator account.

The AES-CFB8 cipher that Netlogon custom implements contains a weakness in the generation schema for an initial random number where certain values used to generate encryption are not properly randomized. A special 8-bit value can be obtained through brute-force discovery and used to compromise the encryption and authenticate the attacker, producing a trusted session without credentials to a vulnerable system.

To exploit the vulnerability an attacker must already have access to the same network and initiate a TCP connection to the target system. If the 8-bit challenge is compromised, the attacker can send spoofed Netlogon messages to the target system. First, encryption transport is disabled so that Netlogon transmits the data across the channel without further encoding. Then attackers can spoof authentication to take advantage of access to built-in features the protocol provides.

Analysis and Timeline of TTPs Developed to Leverage the Zerologon Vulnerability Post Public Release

Samples are referenced using roman numerals and presented in full at the end of the report

Samples in the First 30 Days

Earliest Cyberattacks Using Zerologon Are Paired with Malware Providing Lateral Movement and Deeper Network Compromise

The first waves of malware observed in mid-September 2020 leveraging CVE-2020-1472 exploitation are designed for reconnaissance and lateral movement (I). Malware reported (2, 3) creates risk via further pivoting and exploitation to find holes and expand upon the initial compromise. One attack used SharePoint vulnerability CVE-2019-0604 for initial remote access (2). The first publicly shared proof-of-concept (PoC) exploit for the CVE on the clearnet was published to Github on September 14, 2020, one day after Microsoft’s malware report (4). EclecticIQ analysts observe similar web shells and Cobalt Strike payloads also in the sample (VII) from an attack occurring much later, with a very similar Kill-Chain. The timing of one PoC directly precedes the first wave of malware after September 2020 (4). Four PoCs in total were eventually circulated after the report by Secura (5).

Samples at 30-90 Days

Tailored Malware is Developed for the Vulnerability Days After Reports of Initial Attacks

Shortly after the initial wave of observed malware, known APT (Advanced Persistent Threats) groups adopt CVE-2020-1472 into many toolsets that appear both tailored as well as designed for broader mass exploitation. TA-505, a financially motivated cybercriminal group possibly operating out of Russia, was observed using a custom version of Mimikatz with Zerologon in new attacks that is very similar to sample (II) and is reported in (6). Mimikatz was almost certainly used for further internal lateral movement post-Zerologon exploitation. TA505 used Zerologon to deploy Clop ransomware against the University of Maastricht, Netherlands (7).

Several APT Groups Demonstrate Using Zerologon in New Toolsets

On October 9, 2020, a group known as Muddywater reportedly leveraged Zerologon in new attacks (6). APT Muddywater, believed to operate out of Iran (8), leveraged Zerologon and the Mimikatz tool discussed above to deliver Ryuk ransomware in new attacks (9, 12). Separately, the city of Austin TX, USA was very likely targeted using the Zerologon vulnerability to gain widespread access to the city’s network (13) by Berserk Bear – an APT group with reported ties to Russia (12).

Chaining Multiple CVEs Within a Single Cyberattack Kill-Chain is Common Practice for APTs

Attacks were observed using Zerologon and other known vulnerabilities to compromise US election systems, among other targets (14). Other exploits paired with Zerologon commonly targeted VPN systems and network gateway devices. CVE-2018-13379 and CVE-2020-15505 were reported in a cyberattack along with Zerologon to compromise networks. CVE-2018-13379 is a vulnerability providing initial access through path traversal to an unauthenticated, remote attacker. can exploit the initial vulnerability by sending a specially crafted HTTP request containing a code sequence to a vulnerable Fortigate SSL VPN. This initial access allows the attacker to then perform discovery for a vulnerable Netlogon channel.

APTs Linked to Multiple Nations Leverage Zerologon Within Their Toolsets

Further reporting attributes APT-10 (10), a group the US government associates with China, to Zerologon cyberattacks in November 2020. APT-10 expands the use of Zerologon to target many countries (13) including the US, UK, France, Belgium, Germany, UAE, India, Thailand, Vietnam, Japan, Hong Kong, and the Philippines. Alongside Zerologon for privilege escalation, APT-10 used a variety of living-off-the-land tools for lateral movement including Vertutil, Adfind, Csvde, Ntdsutil, WMIExec, and PowerShell.

Undetected APT Activity Very Likely Occurs Earlier Than Reported

The APT-linked Kill Chains described a month post disclosure demonstrate well-developed APT activities with a thorough understanding of the vulnerability’s capability. This is evident in attacks involving both widespread (opportunistic) and tailored (highly targeted) cyberattacks. APT exploitation is not observed earlier because either reporting is slow to catch up with real-world activity, or APTs stockpile exploits and wait to deploy them against vulnerabilities when exploit participation increases sufficiently that attribution becomes difficult. APTs may also spend initial gap-time testing and preparing the vulnerability for tailored use cases, which could also explain why the activity is not picked up earlier.

Samples at 90-180 Days

Zerologon Begins Transition to Malware-as-a-Service as it Passes Through More Developers

After about five months the first hints of ‘generic’ malware samples appear using bolt-on automated exploitation modules for Zerologon (III). Exploitation modules in the form of scripts allow the vulnerability to be easily adopted by many malware families. One of the signs of generic malware development is reporting the same sample in disparate attacks (IV). Detecting individual modules separate from other malware also forecasts a transition to high-volume cyberattacks (V). The same sample (V) is also present in a report associated with a different sample (VI), where the same Zerologon exploitation module is reported with Cobalt Strike and Qbot as primary commodity malware payloads

EclecticIQ Analysts Observe Stealthy Activity Giving Way to Noisier Higher-Volume Attacks as More Threat Actors Adopt the Vulnerability

Multiple ransomware syndicates incorporate the vulnerability following earlier APT activity. The use of ransomware in the lifecycle of a vulnerability typically marks an inflection point of more widespread adoption in threat actor communities. Malware of this period, like ransomware, shifts toward financial objectives. It is very likely that the Zerologon exploits adopted earlier by ransomware syndicates provide precursors to plug-in modules that are later adapted and developed out into other malware-as-a-service (MaaS) families (VI, VII). This leads to increasing cyberattacks EclecticIQ analysts observe during this phase based on samples involving the vulnerability. Analysts observed one such file (XII) that uses CVE-2020-2472 to provide for payload injection into svchost.exe, a standard Windows service, but no further payload was associated.

Ryuk ransomware is observed in a cyberattack on a hospital in December 2020 (16), followed by Netwalker ransomware in early 2021 (17, 18). The Zerologon privilege escalation helps speed up ransomware attacks allowing a rapid vector to acquire administrator control over entire networks. In January 2021, the US government linked the Netwalker syndicate to an individual developer in Canada (19). Ryuk has reported ties to Russia-based cybercriminals (14).

The variants comprising commodity malware families tend to be operated by threat actors of less skill, but the malware introduces risk through diversification of specific capabilities

Trickbot and BazarLoader using ZeroLogon signals the vulnerability has moved to mainstream commodity malware (20, 21). The adoption of the vulnerability into multiple malware families after observing exploitation by multiple APT groups provides evidence that threat actors continue to find Zerologon effective with time. As a result of adoption and adaptation, cyberattacks using Zerologon at this point are very likely approaching a relatively high point in volume over the two years analyzed.

Samples at 180-360 Days

Automation Increases as Botnets and Maas Variants Leveraging Zerologon Continue Its Transition to High-Volume Attacks

Malware contains increased automation and less functionality. The objective for this common malware (MaaS/commodity) tends to be financial, whereas APTs and ransomware syndicates observed earlier also design malware for data theft and destruction (V). Within the same campaign activity cluster as sample (VI), Qbot and Cobalt Strike are again observed at this time, with Cobalt Strike used to administer the connection post Qbot compromise. Cobalt Strike was one initial malware observed with Zerologon after the first public disclosure by Microsoft. Adding new malware versions with the same vulnerability after many months is evidence of the continued effectiveness and popularity of CVE-2020-1472. Although ransomware and APT attacks have not stopped, new samples during this period indicate threat actors still exploiting zerologon do so increasingly using malware not unique to the attacks and with a more linear financial objective.

Creation of New Malware Slows After Microsoft Releases Further Mitigation

On February 9, 2021, Microsoft released a further update to the vulnerable remote procedure call feature, creating a server-side policy to enforce higher standards for the encryption implementation used for Netlogon authentication. The same day, a sample is uploaded to VirusTotal with Zerologon being leveraged to deploy crypto-jacking bots (VII). The sample demonstrates how malware presents a continual risk despite patch management.

Despite evidence of continued malware development, the second mitigation event for CVE-2020-1472 is followed by a significant decrease of newly designed malware samples almost a year after the initial disclosure. EclecticIQ analysts observe far fewer new malware with timestamps and reported cyberattacks matching this period. This gap in evidence very likely reflects the slowing of malware development according to the samples presented. Generic trojans (MaaS) are now the most common type of malware contributing to cyberattacks (22, 23).

Samples After 360 Days

Testing Tools Can Aid Malicious or Benevolent Discovery

The remainder of 2021 experiences a lull in new samples and very likely indicates the second mitigation event in February 2021 was reasonably effective. One of the last TTPs identified in 2021 is a file reported to be a red team tool developed by FireEye and which was stolen in a related SolarWinds hack (VIII). The last date of analysis for one of the tools was May 9, 2022. Microsoft reports the same file (VIII) is malware and was reported in IOCs belonging to the initial wave of attacks 1.5 years earlier (2).

Samples After 720 Days (2022 Activity)

Commodity Trojans (MaaS) and Password Stealers Now Dominate Cyberattacks

Multiple samples remain active almost two years from the original vulnerability publication. Analysis of samples on VirusTotal indicates at least 40 variants with high rates of malicious detection and exploiting Zerologon appear active in 2022 (X, XI, 22).

Additional Testing Tools Detected Contain IOCs indicating Use by Either Whitehat or Blackhat Actors

Another Linux-based testing tool specific to Zerologon and different from the FireEye tool is found with later timestamps (IX). TrendMicro identified one of the same testing tool files (X) linked to a reported cyberattack using the same Impacket variant on April 29, 2022 (23). The Discovery of this additional tooling is very likely indicative of sustained popularity to identify remaining vulnerable systems for possible cyberattack using Zerologon. The remaining systems are not likely to be of high value at this point because of mitigation efforts over time. EclecticIQ analysts reasonably assume these instances are not covered by policy-mandated patching requirements and are thus more likely to be attached to less critical systems.

 

Find full details on all samples here 

Conclusion

Changes to TTPs Used in Cyberattacks Over the Lifespan of a Vulnerability Have Important Implications for an Organization’s Long-Term Security Posture

This analysis highlights how initial threats and capabilities tied to Zerologon were very high following initial disclosure. Malware then gradually grew more specific with linear objectives that shifted from spying and proprietary information theft to financial gain, as more and more vulnerable systems were patched. After a further point, commodity malware takes over as the primary malware leveraging the vulnerability in a spray-and-pray approach. This lifecycle may continue for many years.

The resulting intelligence data can be used for a more effective iteration of cyber defense in a vulnerability-centric security program. The trends observed across all threats for CVE-2020-1472 are more likely to remain relevant for similar vulnerabilities in the near term. Organizations that already adopt vulnerability-centric security postures can use this type of analysis to direct more efficient resources to counter TTPs. The pyramid of pain says it is more difficult for threat actors to change TTPs compared to IOCs. A structured analysis of more TTPs across many cyberattacks sharing infrastructure (Zerologon) produces intelligence with a longer half-life, better preparing organizations that already adopt vulnerability-centric security postures.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at [email protected] or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

References

1. https://www.secura.com/uploads/whitepapers/Zerologon.pdf
2. https://www.microsoft.com/security/blog/2020/11/30/Zerologon-is-now-detected-by-microsoft-defender-for-identity/
3. https://darktrace.com/blog/zerologon-exploit-detected-within-24-hours-of-vulnerability-notice
4. https://github.com/dirkjanm/CVE-2020-1472
5. https://threatpost.com/Zerologon-attacks-microsoft-dcs-snowball/159656/
6. https://blog.qualys.com/vulnerabilities-threat-research/2021/02/01/unpacking-the-fireeye-breach-start-here-first
7. https://measuredinsurance.com/blog/Zerologon-the-aftermath/
8. https://attack.mitre.org/groups/G0069/
9. https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
10. https://attack.mitre.org/groups/G0045/
11. https://theintercept.com/2020/12/17/russia-hack-austin-texas/
12. https://www.cisa.gov/uscert/ncas/alerts/aa20-283a
13. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
14. https://blog.malwarebytes.com/videobytes/2020/12/videobytes-ryuk-ransomware-targeting-us-hospitals/)
15. https://blogs.blackberry.com/en/2021/03/Zerologon-to-ransomware
16. https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware
17. https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html
18. https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/the-story-of-Zerologon/
19. https://www.virustotal.com/gui/file/f63e17ff2d3cfe75cf3bb9cf644a2a00e50aaffe45c1adf2de02d5bd0ae35b02
20. https://www.virustotal.com/gui/file/1450f7c85bfec4f5ba97bcec4249ae234158a0bf9a63310e3801a00d30d9abcc/content
21. https://www.bleepingcomputer.com/news/microsoft/microsoft-hackers-using-zerologon-exploits-in-attacks-patch-now/
22. https://www.virustotal.com/gui/search/tag%253Acve-2020-1472/files
23. https://www.trendmicro.com/en_us/research/22/g/analyzing-penetration-testing-tools-that-threat-actors-use-to-br.html 

*** This is a Security Bloggers Network syndicated blog from EclecticIQ Blog authored by EclecticIQ Threat Research Team. Read the original post at: https://blog.eclecticiq.com/long-term-analysis-illustrates-how-risk-posed-by-a-vulnerability-changes-as-exploits-develop-over-time