Iranian APT group actively exploiting ZeroLogon vulnerability

Microsoft is again urging IT admins to patch their systems to protect data from hackers

Microsoft has warned that the Iranian state-sponsored threat group MERCURY has been exploiting the Zerologon vulnerability in real-world attacks, in an effort to steal sensitive information from vulnerable machines.

"MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks," the company wrote on Twitter.

It also urged IT admins to patch their systems as soon as possible to protect their data from hackers.

This is the second warning from Microsoft in the past 10 days. On the 23rd September, the software giant said it was actively tracking threat actors attempting to exploit CVE-2020-1472 and had seen "attacks where public exploits have been incorporated into attacker playbooks".

"One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution," the company said.

"Following the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit."

ZeroLogon is one of the most dangerous bugs in Windows's history, particularly under NetLogon. Indexed as CVE-2020-1472, this critical elevation-of-privilege bug could allow malicious entities with a foothold on the local network to instantly become a Domain Admin and gain access to an organisation's Active Directory domain controllers.

Because Active Directory manages identities and devices on a network, its compromise could trigger a chain reaction of data leaks.

Dutch cyber security firm Secura first revealed details around ZeroLogon on 14th September. Since then, multiple proof-of-concept (PoC) exploits have appeared on the internet.

According to researchers, the vulnerability is linked to a weakness in the cryptographic algorithm in the NetLogon Remote Protocol (MS-NRPC). The algorithm is used to authenticate users and machines on Windows domain controllers.

The vulnerability impacts most supported versions of Windows Server, from Server 2008 through Server 2019.

Microsoft released a ZeroLogon patch in August and said that it would address the bug in a phased two-part rollout.

The US Department of Homeland Security (DHS) issued an advisory last month, directing all federal agencies to "apply the Windows Server August 2020 security update to all domain controllers" by 21st September. The DHS warned that the Zerologon poses "an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action."

MERCURY threat group, which Microsoft has blamed for latest Zerologon attacks, is also known as SeedWorm, MuddyWater and TEMP.Zagros among members of cyber security community. It was first spotted in 2017 and is known for targeting Middle Eastern nations posing threat to the Iranian government.

Most MERCURY's activities focus on entities in the government, telecommunications, and energy sectors.

Earlier this year, researchers from SecureWorks' Counter Threat Unit said they had observed MuddyWater running spear-phishing email campaigns to target government organisations in Turkey, Iraq and Jordan, and that the hackers' activities had increased since the killing of General Soleimani.

Soleimani, the leader of the Iran's Quds Force, was killed in Baghdad on the 2nd January, following US airstrikes.

The researchers believed that Iranian threat groups were likely focused on long-running cyber espionage activities in an effort to gather intelligence from some specific countries.