Posted on October 6, 2020 at 5:36 PM
Zerologon Vulnerability Exploited by Iranian Hackers, Says Microsoft
In an announcement on Monday, Microsoft, the software giant, has made it clear that hackers sponsored by the state of Iran are currently exploiting a Zerologon vulnerability. These hackers, according to Microsoft, are doing so in real-world hacking campaigns.
Should an attack by these hackers be successful, these malicious actors can take over Domain Controller (DC) servers, which serve as centerpieces for an array of enterprise networks. This, in turn, would allow these malicious actors to gain full control over their respective targets.
Iranian Government Sponsored Attacks
The attack itself was detected by the Microsoft Threat Intelligence Center, or MSTIC, and is stated to have been occurring for a minimum of two weeks. This was revealed by the company by way of a brief post on Twitter.
MSTIC has linked these cyberattacks to a group of Iranian hackers. These hackers are referred to by the company as MERCURY, but are more widely known by their moniker: MuddyWatter.
It’s believed that this group serves as a contractor, being directly employed by the Iranian government. In particular, it’s believed that these hackers operate under the command of the Islamic Revolutionary Guard Corps, which is the primary military and intelligence service of Iran.
Targeting Various Groups
As the Digital Defence Report of Microsoft stipulates, this group had historically targeted an array of groups, ranging from intergovernmental organizations, NGOs, human rights organizations, and government humanitarian aid groups.
In its statement, Microsoft highlighted that MuddyWatter’s latest targets hold a high number of groups that operate with refugees, and includes the Middle East’s network technology providers, as well.
An Exploit Of Critical Severity
To many, Zerologon stands as the most dangerous bugs that were ever disclosed for 2020. The bug stands as a vulnerability within Netlogon, which is a protocol leveraged by Windows System. This protocol is used to authenticate against a Windows Server operating as a domain controller.
Through the exploitation of Zerologon, hackers are capable of completely overtaking an unpatched domain controller and, by extension, the internal network of the company.
Typically, attacks need to be carried out by way of internal networks. However, should the domain controller be exposed online, an attack can be carried out remotely, over the Internet.
It was back in August when Microsoft issued out patches for Zerologon, referred to as CVE-2020-1472. However, the first detailed write-up of this bug was published in September, coming as a bid to delay the attacks, for the most part.
The Eternal Battle Of Cybersecurity
Sadly, while the security researchers did delay their published details in a bid to give the system administrators more time to patch it, it wasn’t enough. Almost on the same day the detailed write-up was sent, a weaponized proof-of-concept code for Zerologon was published.
As one would imagine, a wave of attacks occurred within a matter of days as the information spread through blackhat groups like wildfire.
After the disclosure of the bug, DGS had given federal agencies three days to patch their domain controllers, or otherwise disconnect from the federal network. This came in a bid to protect the network from attacks, which came, as the agency predicting, within a matter of days.
It appears that MuddyWatter started to make its attacks after around a week since the proof-of-concept code was published. At about the same time frame, Microsoft had started to record the first exploitation attempts of Zerologon.
Cybersecurity is very much a war without an end, an arms race of tools and exploits as one group feverishly tries to exploit software that the other group is feverishly trying to defend. It’s a war that will doubtlessly rage on in perpetuum with the world’s growing technology.
As always, it’s urged that users keep their systems all up to date, and partake in various security measures to ensure your respective systems are safe from being exploited by malicious actors such as this. With any luck, everyone will implement this patch, and Zerologon will fade away, much like many before it.
