RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks

RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks

June 5, 2024 at 05:35PM

RansomHub ransomware recently exploited the ZeroLogon flaw in Windows Netlogon Remote Protocol (CVE-2020-1472) for initial access. Symantec identified the use of Atera, Splashtop, and NetScan tools. Organizations are advised to patch the vulnerability. RansomHub, a ransomware-as-a-service, has impacted numerous organizations. It shares extensive code overlaps with the Knight ransomware, likely due to the purchase of Knight’s source code.

Key Takeaways from Meeting Notes:

– RansomHub ransomware has been using the ZeroLogon flaw in the Windows Netlogon Remote Protocol (CVE-2020-1472) to gain initial access to victims’ environments.
– Prior to deploying the ransomware, the attackers have utilized remote access products like Atera and Splashtop, as well as network scanners such as NetScan.
– ZeroLogon involves a privilege escalation condition when establishing a vulnerable Netlogon secure channel connection to a domain controller, and organizations need to ensure the vulnerability is patched and mitigated.
– RansomHub is a ransomware-as-a-service (RaaS) operation and has become one of the most prolific ransomware groups, with extensive code overlaps with the defunct ransomware family Knight, suggesting reuse of its source code.
– RansomHub has successfully recruited old members of the Blackcat/ALPHV ransomware group, enhancing their capabilities further.

Please let me know if you need further information or details.

Full Article