Cicada Group exploits Zerologon on targeted Japanese Organizations

November 28, 2020
Cicada group Zerologon Vulnerability Japanese Organizations apt10 stone panda

The researchers’ recent discovery that exposes the Microsoft platform’s Zerologon vulnerability is making noise within the Cybersecurity community. Tagged as CVE-2020-1442, it is the vulnerability that adversaries can exploit to gain access to the Domain Controller of the network through compromised elevated privileged accounts. In this scenario, adversaries can access the network by ciphering the service account’s password on the controller. Using a unique algorithm program, they can obtain access within 2-3 seconds. Since the service account is not equipped with a failed login attempt counter to automatically lock the profile upon a given threshold, the used program just needs to guess the correct zero-configuration password out of the 256 key combinations to gain access to it.

Upon gaining access to the controller environment, they now have a foothold on the network wherein the adversary can perform their malicious intent by initially disabling server login services (signing and sealing). After that, they can run through the Active Directory to check for an account that can be compromised, in which they can disable any password locked or simply remove stored password on it. Thus, the whole malicious operation can commence.

Furthermore, the report also mentioned the APT group Cicada that also goes on the name APT10, Stone Panda, and Cloud Hopper, who has been suspected rampantly exploiting this vulnerability since October last year on-hook with their fallen victim even after the discovery has been publicized in October this year. The Cicada group has been unraveled since 2009 and has been on the top list of security experts since then. Many arose speculation that the group is a government-backed adversary of China that has been staging cyber espionage to well-known Japanese organizations and its affiliated company strategically located in 17 countries worldwide that includes the United States. Evidence shows that the group, upon exploiting the Zerologon vulnerability, uses 3 stages of attack to their target victim, including the tools such as the DLL side-loading program (FuckYouAnti), .NET loader assembly (ConfuserEx v1.0.0), and then the QuasarRAT. In addition to their tool is the custom malware named Backdoor. Hartip in which researcher verified as the most lethal tool that the Cicada group currently using wherein the variant has not yet been seen nor reported before. Upon completing the attack, the Cicada group can pretty much do anything on the network for their perusal. They can exfiltrate essential and classified information from the company and deliver it to their storage at ease phase but worst of all, they can perform distributed denial of service. More importantly, they can still perform their malicious activity on the network every time they want, thanks to their ingeniously hidden tools. Stored on the system that can disguise as legitimate system files that security application cannot detect has been compromised.

 

Microsoft secured the Zerologon vulnerability in August even if it had been publicized and confirmed only this October. However, the final patch to solve this vulnerability is said to be released in February 2021.

 

All companies have been instructed to immediately deploy the patch but still recommend installing additional security applications such as antimalware software and routinely do log inspection to check for compromise indicators.

About the author

Leave a Reply