Are you ready for Zerologon?

We’re back at it again with another (usually) Weekly Threat Report. This week we have:

• Warnings from US-CERT
• Vuln warning: Zerologon
• WICKED PANDA busted

Pioneer Kitten exploiting Pulse Secure, NetScaler, and F5

On September 15, 2020, US-CERT released an advisory warning regarding a widespread Iranian-based cyber campaign.

The advisory states that known Iranian actors, like Pioneer Kitten, have been observed exploiting several publicly known CVEs in Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities.

To start, Pioneer Kitten conducts mass scanning and uses tools like Nmap to identify open ports. They target CVEs like CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902 for initial access. Then, they pivot through networks over several months, obtaining administrator-level credentials and installing web shells.

The actor relies heavily on open-source and operating system (OS) tooling to conduct operations, including ngrok, fast reverse proxy (FRP), Lightweight Directory Access Protocol (LDAP) directory browser, and web shells known as ChunkyTuna, Tiny, and China Chopper.

Targeted industries include information technology, government, healthcare, financial, insurance, and media. Authorities report the actor is capable of and likely to deploy ransomware on victim networks.

The actor’s activity indicates support of Iranian government interests; however, US-CERT reports that the actor has been observed selling access in online hacker forums. This shows that the malicious activity appears to also serve the actor’s personal financial interests.

Vulnerability warning: Zerologon

Secura’s Tom Tervoort discovered a severe (CVSS score: 10.0) vulnerability in Microsoft’s Netlogon. Last month, Microsoft patched a vulnerability referred to as Zerologon (CVE-2020-1472) that, with a connection to the domain controller, would allow an attacker to trivially become domain admin.

By forging an authentication token for specific Netlogon functionality, users can set the computer password of the domain controller to a known value. After that, the attacker can use this new password to steal the credentials of a domain admin.

The vulnerability comes from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which can update computer passwords. This flaw allows attackers to impersonate any computer (like the domain controller) and execute remote procedure calls as them.

Attackers are already sharing exploit proofs of concept and using this vulnerability.

Additionally, well-known post-exploitation tools are being updated to include Zerologon attacks. Mimikatz, a Windows post-exploitation tool for pass-the-hash, pass-the-ticket, Kerberoasting, and more, was updated to include a Zerologon exploit.

Luckily, the Microsoft advisory to patch came out last month and you’ve already updated your DC, right?

We’ve created two Suricata/Snort signatures to share that detect tests and successful exploitation.

One:

alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"[Perch Security] Possible Zerologon Secura Testing Script (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|1a 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|24 00 00 00 06 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:30; isdataat:!5,relative; threshold: type limit, count 5, seconds 30, track by_src; dsize:200<>300; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:9001522; rev:1;)

Two:

alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"[Perch Security] Possible Zerologon DC Account Password Set to Null (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|1a 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|24 00 00 00 06 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; isdataat:!5,relative; threshold: type limit, count 5, seconds 30, track by_src; pcre:"/\x00{516}/"; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:900153; rev:1;)

If you don’t know what these sigs are for, request a demo to see how the Perch SOC can monitor your network and logs for you.

Busted: WICKED PANDA aka APT 41

The U.S. Department of Justice has announced charges against five Chinese citizens accused of conducting network intrusions targeting over 100 companies globally. Zhang Haoran and Tan Dailin were charged in August 2019 with over two-dozen counts of conspiracy, wire fraud, identity theft, and charges related to computer hacking.

Prosecutors also added nine additional charges against Jiang Lizhi, Qian Chuan, and Fu Qiang in August 2020. All defendants are alleged to be part of the Chinese threat activity group APT41 (also known as Barium and WICKED PANDA), which conducts cyber intrusions for personal financial gain in addition to likely supporting the intelligence requirements of the Chinese Ministry of State Security (MSS).

According to court documents, past victims included the likes of software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.

US officials said the group stole proprietary source code, code-signing certificates, customer data, and valuable business information.

The three individuals charged in August 2020 were linked with most of the APT41 intrusions. U.S. officials said these three individuals were employees of Chengdu 404 Network Technology, a front company operated by PRC officials.

Prosecutors also charged two businessmen, who were arrested in Malaysia, for their role in trying to profit from the group’s intrusions into game companies to steal and sell digital goods and virtual currency.

That’s all for this week. Check back in next week and be on the lookout for other blogs coming your way soon.

• Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Cisco vulnerability runs wild