RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks


The RansomHub ransomware attackers have exploited the ZeroLogon vulnerability (CVE-2020-1472) in the Windows Netlogon Remote Protocol to gain initial access to victims’ environments. They utilized dual-use tools like Atera and Splashtop for remote access, and NetScan for network discovery. Before deploying the ransomware, they stopped IIS services using command-line tools iisreset.exe and iisrstas.exe. Organizations are urged to patch and mitigate this vulnerability to defend against such attacks, as highlighted by Symantec Broadcom and Critical Start experts.

Read More…