Researchers have uncovered a worldwide campaign targeting businesses using the recently-disclosed ZeroLogon vulnerability.
The active cyberattack is thought to be the handiwork of Cicada, also tracked as APT10, Stone Panda, and Cloud Hopper.
Historically, the threat group -- first discovered in 2009 and one that the US believes may be sponsored by the Chinese government -- has targeted organizations connected to Japan, and this latest attack wave appears to be no different.
Symantec researchers have documented companies and their subsidiaries in 17 regions, involved in automotive, pharmaceutical, engineering, and the managed service provider (MSP) industry, which have been recently targeted by Cicada.
See also: Chaes malware strikes customers of Latin America's largest e-commerce platform[1]
According to the company[2], Cicada's latest attack wave has been active since mid-October in 2019 and has continued up to at least October this year.
Cicada appears to be well-resourced and uses a variety of tools and techniques. This includes DLL side-loading, network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting provider for the download, packaging, and exfiltration of stolen information.
Of particular note is a recent addition to the hacking group's toolkit; a tool able to exploit ZeroLogon. Tracked as CVE-2020-1472[3], issued a CVSS score of 10, and both disclosed and patched by Microsoft in August[4], the vulnerability can be used to spoof domain controller accounts and hijack domains, as well as compromise Active Directory identity services.
CNET: Trump fires top cybersecurity official for debunking election fraud claims[5]
Cicada has also launched Backdoor.Hartip, a custom form of malware not before seen in connection to the APT, against its