ZeroLogon has been heavily used by hacking groups in industrial attacks around the world

Symantec security researchers have just revealed a massive ZeroLogon vulnerability attack in 17 market regions targeting automotive, engineering, pharmaceutical, hosting service providers, and more. Behind these active cyberattacks, Cicada (a.k.a. APT10, Panda Stone, and Cloud Hopper) is said to be behind them.

ZeroLogon has been heavily used by hacking groups in industrial attacks around the world

(From: Symantec)

Cicada, which began to surface in 2009, is believed by the U.S. to have an overseas background and has launched cyberattacks on several Japanese organizations.

From what is known so far, the new attack does not seem to look any different. It will be active from mid-October 2019 until at least October this year.

Symantec notes that Cicada uses tools and technologies including DLL sideloads, network reconnaissance, credential theft, command-line utilities that can install browser root certificates and decode data, PowerShell scripts, RAR documents, and more, and leverages legitimate cloud hosting service providers to download, package, and disclose stolen file information.

It should be noted that the organization has also recently expanded its toolkit lineup to exploit the ZeroLogon vulnerability (CVE-2020-1472) with a rating of 10.

Although Microsoft disclosed and patched it in August, there are security risks such as being hijacked or spoofed by domain controller accounts and causing the destruction of active directory identity services.

In addition, Cicada introduced custom Backdoor.Hartip malware for targets that had never been associated with APT before.

The group is said to focus on stealing information and conducting cyberespionage operations, including company records, human resources documents, meeting memos, expense information, and more, often packaged and submitted to Cicada’s command and control servers.

The researchers point out that attackers spend different amounts of time on the victim’s network, or are active again after a period of silence. Unfortunately, because the code itself is flowered, Symantec has difficulty in inferring exactly what the organization is aiming for.

However, the use of names such as DLL Sideload and FuckYouAnti has previously been revealed in another Cylance report on APT. There are also QuasarRAT and Backdoor.Hartip that Cicada has previously used.

Symantec concludes: Cicada clearly has many resources and skills to support it in launching similarly complex and widespread attacks, and the danger remains high.