Skip to main content

Iranian hackers targeting Zerologon flaw, says Microsoft

(Image credit: Shutterstock)

State-sponsored hackers from Iran are currently exploiting the Zerologon vulnerability in the wild according to new research from Microsoft's Threat Intelligence Center (MSTIC).

Zerologon affects systems running Windows Server 2008 R2 and later and the vulnerability has even been given a maximum severity rating of 10/10 by the Common Vulnerability Scoring System (CVSS). Successful attacks exploiting the vulnerability can allow attackers to take over servers known as domain controllers (DC) which serve as the centerpieces of most enterprise networks.

MSTIC explained in a tweet that its researchers have been tracking a group of Iranian hackers known as MERCURY or MuddyWater using the ZeroLogon exploit, tracked as CVE-2020-1472, in the wild for the past two weeks.

In the September 2020 edition of its Digital Defense Report, Microsoft noted that MERCURY has targeted NGOs, intergovernmental organizations, government humanitarian aid and human rights organizations in the past. Now though the group, which is believed to be a contractor for the Iranian government, has started targeting organizations that work with refugees and network technology providers in the Middle East.

Zerologon attacks

With a CVE score of 10/10, Zerologon is a very serious vulnerability that resides in the Netlogon protocol which is used by Windows systems to authenticate against a Windows Server running as a domain controller.

By exploiting this vulnerability, hackers can take over an unpatched domain controller and gain full access to an organization's network. While attacks generally need to be carried out from within an internal network, they can also be carried out remotely over the internet if a domain controller is exposed online.

Back in August, Microsoft issued patches to address Zerologon and the company published a detailed write-up about the vulnerability in September. However, weaponized PoC code for Zerologon was released around the same time as the company's write-up which led to a flurry of attacks targeting unpatched servers.

The vulnerability posed such a big risk that the Department of Homeland Security (DHS) gave federal agencies three days to patch their domain controllers or disconnect them from federal networks once the bug was publicly disclosed.

Businesses and government agencies that have yet to patch their domain controllers should do some immediately or risk falling victim to attacks exploiting the Zerologon vulnerability.

Via ZDNet