Threat Description
Echo Networks is aware of reports of active exploitation of the Windows ZeroLogon vulnerability seen by security researchers. To make matters worse, the reports highlight that the attackers behind the Ryuk ransomware, which was one of the most prolific ransomware variants of last year, are incorporating this vulnerability into their arsenal. It also shows that the Ryuk attackers have changed their approach and are accomplishing their feat in a much shorter time frame.
Previously, the typical modus operandi of the attackers behind Ryuk was to exploit known SMB vulnerabilities or brute force RDP connections and then to “live off the land.” That term refers to using commonly available system tools that are already preinstalled on a machine to move laterally within a victim network so as not to cause a SIEM or endpoint to red flag potentially suspicious activity by a threat actor.
After various requirements were satisfied, the attackers would then strike out of the blue and leave an organization’s IT staff puzzled as to how they were compromised. The fact that there was no specific time frame or apparent evidence leading up to when the attack was executed only added to the confusion. It would come down to when the attackers felt it was the right time to launch an attack. There was no preset time frame.