{ "id": "51b472df-aa17-4d84-adff-0c53bc3ec968", "created_at": "2026-04-06T00:06:52.735659Z", "updated_at": "2026-04-10T03:36:36.833786Z", "deleted_at": null, "sha1_hash": "dc35806d6438bc20a52f6091ae250f1e9071ebd2", "title": "Ransomware gang now using critical Windows flaw in attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1280938, "plain_text": "Ransomware gang now using critical Windows flaw in attacks\r\nBy Ionut Ilascu\r\nPublished: 2020-10-09 · Archived: 2026-04-05 12:36:27 UTC\r\nMicrosoft is warning that cybercriminals have started to incorporate exploit code for the ZeroLogon vulnerability in their\r\nattacks. The alert comes after the company noticed ongoing attacks from cyber-espionage group MuddyWater (SeedWorm)\r\nin the second half of September.\r\nThis time, the threat actor is TA505, an adversary who is indiscriminate about the victims it attacks, with a history starting\r\nwith the distribution of Dridex banking trojan in 2014.\r\nOver the years, the actor has been in attacks delivering a wide variety of malware, from backdoors to ransomware.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-using-critical-windows-flaw-in-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-using-critical-windows-flaw-in-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nRecently, intrusions from this group are followed by the deployment of Clop ransomware, as in the attack on Maastricht\r\nUniversity last year that resulted in paying a 30 bitcoin (about $220,000) ransom.\r\nFake updates and legit tools\r\nMicrosoft says that TA505, which it tracks as Chimborazo, deployed a campaign with fake software updates that connect to\r\nthe threat actor’s command and control (C2) infrastructure.\r\nThe purpose of the malicious updates is to give hackers increased privileges (User Account Control bypass) on the target\r\nsystem and run malicious scripts.\r\nFor the second part, TA505 uses Windows Script Host (WScript.Exe), which allows executing scripts in various\r\nprogramming languages, including VBScript, Python, Ruby, PHP, JavaScript, and Perl.\r\nMicrosoft says that the attackers compile a version of the Mimikatz post-exploitation tool using the Microsoft Build\r\nEngine (MSBuild.Exe)n for building applications.\r\nThe version of Mimikatz obtained this way includes exploit code for the ZeroLogon vulnerability (CVE-2020-1472). Over\r\nthe past month, numerous researchers released proof–of–concept exploits for this flaw.\r\nWhat Microsoft described in a short thread is a classic domain takeover attack, where ZeroLogon is a perfect fit. It offers\r\ndirect access to the domain controller, so the attacker no longer needs to spend time getting the admin credentials.\r\nWith TA505 involved in big-money ransomware business, organizations should prioritize applying security patches for this\r\nvulnerability as attacks similar to what Microsoft described are likely to occur with increased frequency.\r\nZeroLogon details available\r\nDiscovered by Tom Tervoort of Secura, ZeroLogon allows intruders on a domain network to increase permissions to\r\nadministrator level without needing to authenticate.\r\nTervoort found that he could force the connection to a domain controller through the Netlogon Remote Protocol in an\r\nunencrypted state (non-secure RPC communication).\r\nNext, by leveraging a flaw in the Netlogon crypto algorithm, it is possible to spoof a domain administrator login. A technical\r\nwrite-up is available from Secura.\r\nMicrosoft addressed this vulnerability partially for now, by preventing Windows Active Domain controller communication\r\nover non-secure RPC. This update is available since August 11.\r\nOn February 9, though, a new update will enforce the same secure communication to all devices on the network.\r\nWarnings released\r\nNetwork admins received repeated warnings about the severity of the ZeroLogon vulnerability (maximum critical score\r\n10/10) and urged to apply the current patch.\r\nWith exploit code that (domain admin privilege obtained in seconds) released since mid-September, threat actors moved\r\nquickly to incorporating it in their attacks.\r\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on September 18 required the Federal Civilian Executive\r\nBranch to treat fixing the flaw as an emergency.\r\nMicrosoft first sounded the alarm on September 23, when it saw ZeroLogon actively exploited in attacks. Next came the\r\nalert about MuddyWater leveraging the exploit.\r\nNow it’s cybercriminals wielding it, a clear sign that ZeroLogon is on the way of being adopted by a wide range of threat\r\ngroups targeting organizations in both the public and private sectors.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-using-critical-windows-flaw-in-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-gang-now-using-critical-windows-flaw-in-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-now-using-critical-windows-flaw-in-attacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/ransomware-gang-now-using-critical-windows-flaw-in-attacks/" ], "report_names": [ "ransomware-gang-now-using-critical-windows-flaw-in-attacks" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434012, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc35806d6438bc20a52f6091ae250f1e9071ebd2.pdf", "text": "https://archive.orkl.eu/dc35806d6438bc20a52f6091ae250f1e9071ebd2.txt", "img": "https://archive.orkl.eu/dc35806d6438bc20a52f6091ae250f1e9071ebd2.jpg" } }