Cybercriminals have started to exploit a critical Windows flaw in their attacks, Microsoft warned. The tech giant said it observed a series of attacks exploiting the ZeroLogon vulnerability allegedly conducted by TA505, a Russia-linked cybercrime group also known as CHIMBORAZO and Evil Corp.

The TA505 cybercrime group has been active since 2014. It is known for its attacks on foreign financial and energy sectors using various malware such as Dridex, Locky ransomware, and TrickBot. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.

The discovered campaign involved fake software updates that connect to command and control (C&C) infrastructure previously linked to TA505.

“We’re seeing more activity leveraging the CVE-2020-1472 exploit (ZeroLogon). A new campaign shrewdly poses as software updates that connect to known CHIMBORAZO (TA505) C2 infrastructure. The fake updates lead to UAC bypass and use of wscript.exe to run malicious scripts,” the company said in a message on Twitter.

“To exploit the vulnerability, attackers abuse MSBuild.exe to compile Mimikatz updated with built-in ZeroLogon functionality,” Microsoft added.

The ZeroLogon (CVE-2020-1472) vulnerability has been described as a privilege escalation issue that could be exploited by an attacker with access to a Windows Domain Controller to take over the Windows domain. CVE-2020-1472 impacts systems running Windows Server 2008 R2 and later.

Last month, Microsoft has warned about a recent Muddy Water campaign exploiting the ZeroLogon flaw.