Rewterz Threat Alert – CVE-2020-1472 – Attackers Exploiting ‘ZeroLogon’ Windows Flaw – IoCs and PoC
September 25, 2020Rewterz Threat Advisory – Cisco IOS XE Software Zone-Based Firewall Denial of Service Vulnerabilities
September 25, 2020Rewterz Threat Alert – CVE-2020-1472 – Attackers Exploiting ‘ZeroLogon’ Windows Flaw – IoCs and PoC
September 25, 2020Rewterz Threat Advisory – Cisco IOS XE Software Zone-Based Firewall Denial of Service Vulnerabilities
September 25, 2020Severity
Medium
Analysis Summary
Recently, the threat actor GADOLINIUM started using cloud services and open source tools to enhance weaponization of their malware payload, in order to attempt to gain command and control all the way to the server, and to obfuscate detection. These attacks were delivered via spear-phishing emails with malicious attachments. GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods. Over the last year, GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track.
In mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious attachments. The filenames of these attachments were named to appeal to the target’s interest in the COVID-19 pandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt), when run, would drop a file, doc1.dotm. GADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or traffic redirection. Moreover, during April 2020, the Microsoft Identity Security team suspended 18 Azure Active Directory applications that were determined to be part of GADOLINIUM’s PowerShell Empire infrastructure.
Impact
- Unauthorized Remote Access
- Elevation of Privilege
- Detection Evasion
- Credential Theft
Indicators of Compromise
From Email
- chris[.]sukkar@hotmail[.]com
- fghfert32423dsa@outlook[.]com
- heather[.]mayx@outlook[.]com
- jenny1235667@outlook[.]com
- phillipadamsthird@hotmail[.]com
- robertfetter[.]fdmed@hotmail[.]com
- sdfwfde234sdws@outlook[.]com
- sroggeveen@outlook[.]com
MD5
- bd105eb1715bfcc288b0439f0e889ac7
SHA-256
- faebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675
SHA1
- 7ac1943b88d1acaad614066dcaad69f11f6729c7
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.