Microsoft: Iranian Hackers Actively Exploiting Windows Zerologon Flaw

Microsoft today warned that the Iranian-backed MuddyWater cyber-espionage group was observed using ZeroLogon exploits in multiple attacks during the last two weeks.

The ongoing attacks exploiting the critical 10/10 rated CVE-2020-1472 security flaw were spotted by Microsoft’s Threat Intelligence Center.

“MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks,” Microsoft warned earlier today. “We strongly recommend patching.”

The company issued a similar warning last month, on September 23, urging IT admins to apply security updates update issued as part of the August 2020 Patch Tuesday to defend against attacks using public ZeroLogon exploits.

A week later, Cisco Talos also warned of  “a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon.”

Also Read: How Being Data Protection Trained Can Help With Job Retention

The Windows Server Zerologon vulnerability

Zerologon is a critical security flaw that enables attackers to elevate privileges to a domain administrator when successfully exploited, enabling them to take control over the entire domain, to change any user’s password, and to execute any command.

Microsoft is rolling out the fix for Zerologon two stages since it can cause some of the affected devices to experience authentication issues.

The first one, released on August 11, blocks Windows Active Directory Domain controllers from using unsecured RPC communication and logs auth requests from non-Windows devices that don’t use secure RPC channels to allow admins to fix or replace affected devices.

Starting with the February 2021 Patch Tuesday updates, Microsoft will release another update to enable enforcement mode which requires all network devices to use secure-RPC, unless specifically allowed by admins.

On September 29, Microsoft clarified the steps admins should take to protect devices against ongoing attacks using Zerologon exploits.

The update plan outlined by Microsoft at the time includes the following actions:

1. UPDATE your Domain Controllers with an update released August 11, 2020 or later.
2. FIND which devices are making vulnerable connections by monitoring event logs.
3. ADDRESS non-compliant devices making vulnerable connections.
4. ENABLE enforcement mode to address CVE-2020-1472 in your environment.

MERCURY – Iranian cyber-espionage group

MERCURY (also tracked as MuddyWater, SeedWorm, and TEMP.Zagros) is an Iranian-backed hacking group first spotted in 2017 [1, 2] and active since at least May 2017.

The group is known for mainly targeting Middle Eastern and Asian entities, with most of their attacks being focused on organizations in the telecommunications, government (IT services), and oil industry sectors.

Despite being a relatively new APT group, MERCURY is very active, having made 131 victims between late-September and mid-November 2018 as detailed by a Symantec report.

The MERCURY hackers were also seen expanding their attacks to defense and government entities in Central and Southwest Asia, as well as numerous privately-held and public companies from North America, Europe, and Asia [1, 2, 3].

Also Read: Understanding The Data Intermediary In Data Protection