Iranian Hackers Exploiting 'Zerologon' FlawMicrosoft Says Other Hackers Are Sending Fake Software Updates
Microsoft is warning that hackers with connections to Iran, as well as other threat actors, are attempting to exploit a critical vulnerability in Windows Server dubbed "Zerologon," for which it has issued a partial patch.
Microsoft’s security teams have found that a nation-state hacking group the company calls Mercury, which has apparent ties to Iran, has been trying to exploit the unpatched Zerologon vulnerability for the past two weeks. The vulnerability, which is tracked as CVE-2020-1472, has been given a CVSS score of 10 - the most critical.
MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78— Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020
Some of the other threat actors attempting to exploit Zerologon are sending messages disguised as software updates to download malicious code on devices to connect to a command and control server, Microsoft says.
Since August, Microsoft has warned its users to apply a partial patch that the company issued for the Zerologon vulnerability. In September, the U.S. Cybersecurity and Infrastructure Security Agency and other security firms began issuing warnings about the flaw, noting that threat actors were looking to take advantage of unpatched systems (see: Warning: Attackers Exploiting Windows Server Vulnerability).
Concerns About Iran
The Iran-linked Mercury advanced persistent threat group, which is also known as MuddyWater, Static Kitten and Seedworm, is primarily known to target victims in the Middle East, but it has also launched espionage campaigns against organizations in the U.S. and India, according to security reports.
The group, which has been active since 2017, uses a wide variety of tactics and tools against its targets (see: MuddyWater APT Group Upgrades Tactics to Avoid Detection).
Brandon Hoffman, CISO at security firm Netenrich, notes that Iranian hackers have gotten better at exploiting vulnerabilities, including Zerologon.
"Over the years, the Iranians have almost specialized in taking advantage of remote technology vulnerabilities, most notably the Citrix issues last year," Hoffman tells Information Security Media Group. "They are also notorious for targeting Microsoft products at the same time, although targeting Microsoft certainly holds no exclusivity."
The fake messages other threat actors are sending about software updates can "lead to [User Account Control] bypass and use of wscript.exe to run malicious scripts," according to Microsoft.
Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, noted on Twitter that this type of exploit can allow threat actors to infect endpoints within a vulnerable organization, which can then lead to attacks such as ransomware.
This is one of the vulnerabilities human operated ransomware groups are exploiting for past year or so - humans, and InfoSec.— Kevin Beaumont (@GossiTheDog) October 7, 2020
We tell people to install updates when prompted, so they embed fake updates in legit websites. https://t.co/6VPA3PIuYy
Warnings About Zerologon
The Zerologon vulnerability affects Windows Server's Netlogon Remote Protocol, or MS-NRPC - an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft's initial alert.
Microsoft issued the first phase of the patch on Aug. 11 to partially mitigate the vulnerability. It plans to issue a second patch Feb. 9, 2021, which will handle the enforcement phase of the update. In September, the company issued an advisory to clarify how the initial patch should be applied (see: Microsoft Issues Updated Patching Directions for 'Zerologon').
"The [domain controllers] will now be in enforcement mode regardless of the enforcement mode registry key," according to Microsoft. "This requires all Windows and non-Windows devices to use secure [Remote Procedure Call] with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device."
Managing Editor Scott Ferguson contributed to this report.