APT10 Adds ZeroLogon Exploitation to TTPs

Summary

A long-running global campaign was recently observed targeting businesses using the ZeroLogon vulnerability. Identified as CVE-2020-1472, the vulnerability can be used to spoof domain controller accounts and hijack domains, as well as compromise Active Directory identity services. Currently, targets appear to be organizations that have business ties to Japan. This campaign is assessed with medium confidence to be attributed to APT10, a Chinese government- affiliated threat group, also known as menuPass, Stone Panda, and Cicada. APT10 historically targeted various industries including healthcare, construction, engineering, aerospace, telecommunication firms, and governments in the US, Europe, and Japan. Additionally, APT10 uses a wide range of tools and techniques; however the use of DLL side-loading combined with the use of QuasarRAT and Backdoor.Hartip in the final payload is a known technique of APT10, which contributed to attribution.

Recent exploitation of the ZeroLogon vulnerability is not limited to APT10. Various threat actors have been observed leveraging CVE-2020-1472 due to its ease of exploitation, which prompted The Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive to patch the flaw immediately.

Recommendations

The NJCCIC urges administrators to apply the patch as soon as possible after appropriate testing as attacks are on-going. Additionally, we encourage educating yourself and others of these evolving threats and tactics to reduce victimization. Please review the Symantec Enterprise blog post and the ZDNet article for further details.