Microsoft’s Threat Intelligence Center (MSTIC) has tweeted saying that Iranian state-backed hackers, touted as MERCURY are actively exploiting the Zerologon vulnerability. The vulnerability is of a weak authentication protocol that can give the hacker full control over the target’s’ domain controller and takeover network.
This vulnerability was called as the most critical Windows bug discovered this year, since it takes less than a minute to compromise the network. Microsoft has issued patches for this bug in the August update and urged everyone to apply it.
Iranian Hackers Exploiting Zerologon
Zerologon bug in Windows 10 machines is named as the most serious one revealed this year. This is because exploiting the bug takes a matter of a few seconds, though the attacker needs to have an internal footprint already. It’s given the severity score of 10/10 since then.
The vulnerability lies in the Netlogon, the authentication parameter with weak security protocol. Though the attack is of the secondary stage, it’s considered serious since it can give the control over full network by taking over the domain controllers initially. Thus, anyone accessing them could launch a range of new attacks, steal data, etc.
Microsoft has been tracking exploitations against Zerologon bug since September, and now says to have detected few Iranian state-backed hackers are doing so. Microsoft’s Threat Intelligence Center (MSTIC) has tweeted about active attacks against Zerologon for two weeks.
MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78
— Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020
The group is detected to be MERCURY, also known as MuddyWatter, who work for Iran’s primary Intelligence and military service. They’re having track records of attacking NGOs, government, and human rights organizations.
DHS too has warned federal agencies about the seriousness of Zerologon and ordered them to update to Microsoft patch or disconnect them to safeguard the network. Microsoft has already issued a patch for this in Windows 10 August update and urged everyone to apply it.