In an analysis released by Symantec and originally reported by ZDNet, APT 10, also tracked as Stone Panda/Cloud Hopper, has been observed targeting companies in 17 regions involved in the automotive, pharmaceutical, engineering, and MSP industries. Starting from mid-October 2019 to at least October of this year, APT 10 has been leveraging DLL side-loading, Qasar RAT, and various browser based certificate person-in-the-middle techniques to steal personally identifiable information.
The most recent addition to their vast toolkit is a tool able to exploit the CVE-2020-1472 Zerologon vulnerability, which is a critical privilege escalation targeting Active Directory environments. With nothing more than access to a system on the same local network as a Domain Controller, an attacker can completely take over the domain in a matter of seconds. Microsoft released a patch for this vulnerability, which is effective as long as systems administrators update Windows on Domain Controllers. Based on exfiltrated data, it seems that this group is focused on stealing documents that can be used for cyberespionage, such as corporate records, HR documents, meeting memos, and expense information.
Microsoft patched Zerologon in August, and the patch has been deployed successfully around the globe. Binary Defense recommends ensuring that all systems are patched and kept up to date. ZeroLogon is trivial to execute but grants domain admin privileges following proper execution. Network monitoring using the free and open-source solution Suricata with the Emerging Threats (ET) ruleset has proven to be effective to alert when a system attempts to use the Zerologon exploit, which is a useful security signal even if servers are patched the attack fails—it can alert defenders that an attacker is inside the network and let them know what internal IP address the attacker is using. Additionally, Binary Defense recommends the use of a 24/7 SOC monitoring team, such as Binary Defense’s own Security Operations Task Force, in order to catch threats that may sneak by more conventional IoC detection.
For more information, please see ZDNet’s article: https://www.zdnet.com/article/cicada-hacking-group-exploits-zerologon-launches-new-backdoor-in-automotive-industry-attack-wave/