French IT company Sopra Steria attacked by Ryuk ransomware, Zerologon exploited?

[German]The French IT company Sopra Steria, to which, for example, large parts of the IT of the National Health System (NHS) in Great Britain have been transferred, has fallen victim to a Ryuk ransomware attack. If the information I have is correct, an Active Directory domain controller was taken over via the Zerologon vulnerability, allowing the ransomware to spread on the service provider's IT network.


Sopra Steria SA  is a European management and technology consultancy headquartered in Annecy, France, which was formed in September 2014 from the merger of the two companies Sopra Group SA and Groupe Steria SCA. The German subsidiary is based in Hamburg. The Sopra Steria Group is represented in 25 countries and has a total of 46,245 employees (as of the end of 2019). So this is a bigger player.

Ryuk ransomware infection

As reported by the French medium LeMagIT on October 21, 2020, the attack (presumably by the Ryuk ransomware) must have taken place in the night from October 20 to 21, 2020. The Register picked it up in this article on October 22, 2020 and writes that the company refused to say what exactly happened. A report only confirms the infestation.

A cyberattack has been detected on Sopra Steria's (Paris:SOP) IT network on the evening of 20th October. Security measures have been implemented in order to contain risks. The Group's teams are working hard for a return to normal as quickly as possible and every effort has been made to ensure business continuity.

Sopra Steria is in close contact with its customers and partners, as well as the competent authorities.

Sopra Steria customers may be anything but enthusiastic about the incident, as it is likely that customer data was taken before encryption, and that data will eventually become public.

Active Directory infrastructure compromised

According to information from The Register, there are indications that Sopra Steria's Active Directory infrastructure has been compromised. It is believed that attackers have succeeded in infiltrating the Ryuk malware and encrypting files. This is also reported by Bleeping Computer in this article. In a follow-up article in today's issue, the French medium LeMagIT reports that the attackers used Cobalt Strike to find a vulnerability and distribute the ransomware. 

Cobalt Strike is a software with flexible functions to simulate industrial espionage on your own network, to test defensive measures and to increase your own computer security. This includes attack reconnaissance, intrusion, establishing stable access with a solid operational base in the victim's network and subsequent data theft.

Cobalt Strike can detect security vulnerabilities by using a Red Team, an independent group of programmers, as an adversary with little or no information about the system and its structure. A collection of attack tools is available, post-processing tools include a report generator.

According to the French article, the distribution of the ransomware including encryption must be lightning fast. The extent of the attack is currently unclear, since Sopra Steria's IT security team, with the help of external cyber security experts, has only just begun work on determining the course and scope of the attack. 


Did an attack succeed via Zerologon vulnerability?

In the meantime, the numerous customers of the IT company have probably been informed about the attack. There is probably a reference to the Ryuk ransomware and there are hints how the attack went down. LeMagIT quotes from the letter that "the first malicious attacks occurred a few days ago," probably before the attack on October 20, 2020. The techniques used for penetration are also described:

Using PSexec for lateral movement in the network, using Cobalt Strike for lateral movement; using transfer bits to install the Ryuk ransomware (which only targets Windows hosts); using Windows Share (Share$) on domain controllers to store the list of IP addresses the ransomware targets.

LeMagIT assumes that transfer bits refers to the Windows service BITS, the Background Intelligent Transfer Service. LeMagIT therefore questions whether the attackers used the Zerologon vulnerability to penetrate and place the malware.

I've warned several times about the Zerologon vulnerability (see links at the end of this article). The Zerologon vulnerability (CVE-2020-1472) is a Privilege Escalation vulnerability due to the insecure use of AES-CFB8 encryption for Netlogon sessions. The vulnerability allows the takeover of Active Directory Domain Controllers (DC) – even remotely, if reachable via network/Internet – by unauthorized attackers.

LeMagIT writes that the information provided by the security team of Sopra Steria does not address this issue. But the magazine quotes Alain Bouillé, general delegate of the club Experts in Information and Digital Security (Cesin). In an email to members, Bouillé wrote that the infection with the Ryuk ransomware was caused by an AD controller compromised by the CVE-2020-1472 (Zerologon) vulnerability. The members of the club were urged to close this vulnerability as soon as possible.

Similar articles:
Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)
Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)
Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC
Zerologon Exploits are used in the wild, patching (Windows Server, Samba) recommended

Cruise provider Carnival confirms ransomware attack with data exfiltration
Ransomware grounds French shipping company CMA CGM S.A.
German Software AG victim of Cl0p ransomware, data leaked
Cyber attack with ransomware on US hospital operator UHS
Ransomware attack in German hospital ends deadly for a women – blame Shitrix vulnerability
Ransomware infection at German Dussmann Group
Garmin shutdown by WastedLocker ransomware attack
AgeLocker Ransomware attacks QNAP NAS drives

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *