This chapter provides a short review of the threat actors and attack campaigns exploiting the CVEs mentioned in the summary table above. The CVEs are organized by the year they were disclosed from the newest to the oldest. CVE-2020-1472 is a critical elevation of privileges vulnerability that exists in Netlogon- the protocol responsible for authenticating users against domain controllers - and affects Windows Server. Exploitation of the vulnerability could allow attackers to take over servers running as domain controllers in the organization’s network by obtaining domain admin privileges. Nation-state groups spotted exploiting this CVE: 1. The Iranian MuddyWater (also tracked as MERCURY). 14 According to Microsoft, they targeted network technology providers in the Middle East. 2. The Russian APT group Energetic Bear. 15 According to CISA, they targeted US government and aviation networks. 3. The China-based APT group Cicada (aka APT10, Stone Panda, and Cloud Hopper). 16 According to researchers, they targeted multiple industries, such as automotive, pharmaceutical, engineering and MSPs, worldwide. In most attacks, the ZeroLogon vulnerability was chained with known vulnerabilities affecting VPN products. 17 In addition to nation-state groups, there were indications that the infamous Russian cybercrime group, TA505 (also tracked as Evil Corp and CHIMBORAZO) has also abused this vulnerability. 18 In-depth review – Exploiting CVE in the wild ZEROLOGON - CVE-2020-1472 https://www.zdnet.com/article/cicada-hacking-group-exploits-zerologon-launches-new-backdoor-in-automotive-industry-attack- wave/#ftag=RSSbaffb68 16. https://securityaffairs.co/wordpress/109323/hacking/ta505-zerologon-attacks.html 18. https://us-cert.cisa.gov/ncas/alerts/aa20-283a 17. 15. 14. 7 Vulnerability Threat Intelligence Report