Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack

ryuk zerologon attack 5 hours

Researchers said the group was able to move from initial phish to full domain-wide encryption in just five hours.

The Ryuk threat actors have struck again, moving from sending a phishing email to complete encryption across the victim’s network in just five hours.

That breakneck speed is partially the result of the gang using the Zerologon privilege-escalation bug (CVE-2020-1472), less than two hours after the initial phish, researchers said.

The Zerologon vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft. It was patched in August, but many organizations remain vulnerable.

In this particular attack, after the attackers elevated their privileges using Zerologon, they used a variety of commodity tools like Cobalt Strike, AdFind, WMI and PowerShell to accomplish their objective, according to the analysis from researchers at the DFIR Report, issued Sunday.

The Attack Begins

The attack started with a phishing email containing a version of the Bazar loader, researchers said. From there, the attackers performed basic mapping of the domain, using built-in Windows utilities such as Nltest. However, they needed to escalate their privileges to do any real damage, so they exploited the recently disclosed Zerologon vulnerability, researchers said.

Having gained elevated admin privileges, the cybercriminals were able to reset the machine password of the primary domain controller, according to the analysis.

Then, they moved laterally to the secondary domain controller, carrying out more domain discovery via Net and the PowerShell Active Directory module.

“From there, the threat actors appeared to use the default named pipe privilege escalation module on the server,” researchers said. “At this point, the threat actors used [Remote Desktop Protocol] RDP to connect from the secondary domain controller to the first domain controller, using the built-in administrator account.”

Cobalt Strike

Lateral movement was initiated via Server Message Block (SMB) and Windows Management Instrumentation (WMI) executions of Cobalt Strike beacons, researchers said. SMB is a networking file-share protocol included in Windows 10 that provides the ability to read and write files to network devices. WMI meanwhile enables management of data and operations on Windows-based operating systems.

Cobalt Strike belongs to a group of dual-use tools that are typically leveraged for both exploitation and post-exploitation tasks. Other examples in circulation include PowerShell Empire, Powersploit and Metasploit, according to recent findings from Cisco.

“From memory analysis, we were also able to conclude the actors were using a trial version of Cobalt Strike with the EICAR string present in the network configuration for the beacon. Both portable executable and DLL beacons were used,” researchers added.

Once on the main domain controller, another Cobalt Strike beacon was dropped and executed.

The analysis of the attack revealed that after about four hours and 10 minutes, the Ryuk gang pivoted from the primary domain controller, using RDP to connect to backup servers.

“Then more domain reconnaissance was performed using AdFind. Once this completed…the threat actors were ready for their final objective,” according to DFIR’s report.

Five Hours Later: Ryuk

For the final phase of the attack, the Ryuk operators first deployed their ransomware executable onto backup servers. After that, the malware was dropped on other servers in the environment, and then workstations.

Ryuk is a highly active malware, responsible for a string of recent hits, including a high-profile attack that shut down Universal Health Services (UHS), a Fortune-500 owner of a nationwide network of hospitals.

“The threat actors finished their objective by executing the ransomware on the primary domain controller, and at the five-hour mark, the attack completed,” researchers said.

The use of Zerologon made the cybrcriminals’ efforts much easier, since the attack didn’t need to be aimed at a high-privileged user who would likely have more security controls.

In fact, the toughest part of the campaign was the start of the attack – the successful installation of Bazar from the initial phishing email, which required user interaction. Researchers note that the user was a Domain User and did not have any other permissions – but that proved to be a non-issue, thanks to Zerologon.

The attack shows that organizations need to be ready to move more quickly than ever in response to any detected malicious activity.

“You need to be ready to act in less than an hour, to make sure you can effectively disrupt the threat actor,” according to researchers.

Zerologon Attacks Surge

The case study comes as exploitation attempts against Zerologon spike. Government officials last week warned that advanced persistent threat actors (APTs) are now leveraging the bug to target elections support systems.

That came just days after Microsoft sounded the alarm that an Iranian nation-state actor was actively exploiting the flaw (CVE-2020-1472). The APT is MERCURY (also known as MuddyWater, Static Kitten and Seedworm). And, Cisco Talos researchers also recently warned of a spike in exploitation attempts against Zerologon.

In September, the stakes got higher for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on Github. This spurred the Secretary of Homeland Security to issue a rare emergency directive, ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.


Suggested articles