Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Iranian Hackers Exploiting 'Zerologon' Flaw

Microsoft Says Other Hackers Are Sending Fake Software Updates
Iranian Hackers Exploiting 'Zerologon' Flaw

Microsoft is warning that hackers with connections to Iran, as well as other threat actors, are attempting to exploit a critical vulnerability in Windows Server dubbed "Zerologon," for which it has issued a partial patch.

Microsoft's security teams have found that a nation-state hacking group the company calls Mercury, which has apparent ties to Iran, has been trying to exploit the unpatched Zerologon vulnerability for the past two weeks. The vulnerability, which is tracked as CVE-2020-1472, has been given a CVSS score of 10 - the most critical.

See Also: Webinar | Financial Institutions Seek a Step-In Approach to Sensitive Unstructured Data Compliance and Security

Some of the other threat actors attempting to exploit Zerologon are sending messages disguised as software updates to download malicious code on devices to connect to a command and control server, Microsoft says.

Since August, Microsoft has warned its users to apply a partial patch that the company issued for the Zerologon vulnerability. In September, the U.S. Cybersecurity and Infrastructure Security Agency and other security firms began issuing warnings about the flaw, noting that threat actors were looking to take advantage of unpatched systems (see: Warning: Attackers Exploiting Windows Server Vulnerability).

Concerns About Iran

The Iran-linked Mercury advanced persistent threat group, which is also known as MuddyWater, Static Kitten and Seedworm, is primarily known to target victims in the Middle East, but it has also launched espionage campaigns against organizations in the U.S. and India, according to security reports.

The group, which has been active since 2017, uses a wide variety of tactics and tools against its targets (see: MuddyWater APT Group Upgrades Tactics to Avoid Detection).

Brandon Hoffman, CISO at security firm Netenrich, notes that Iranian hackers have gotten better at exploiting vulnerabilities, including Zerologon.

"Over the years, the Iranians have almost specialized in taking advantage of remote technology vulnerabilities, most notably the Citrix issues last year," Hoffman tells Information Security Media Group. "They are also notorious for targeting Microsoft products at the same time, although targeting Microsoft certainly holds no exclusivity."

Other Threats

The fake messages other threat actors are sending about software updates can "lead to [User Account Control] bypass and use of wscript.exe to run malicious scripts," according to Microsoft.

Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, noted on Twitter that this type of exploit can allow threat actors to infect endpoints within a vulnerable organization, which can then lead to attacks such as ransomware.

Warnings About Zerologon

The Zerologon vulnerability affects Windows Server's Netlogon Remote Protocol, or MS-NRPC - an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft's initial alert.

Microsoft issued the first phase of the patch on Aug. 11 to partially mitigate the vulnerability. It plans to issue a second patch Feb. 9, 2021, which will handle the enforcement phase of the update. In September, the company issued an advisory to clarify how the initial patch should be applied (see: Microsoft Issues Updated Patching Directions for 'Zerologon').

"The [domain controllers] will now be in enforcement mode regardless of the enforcement mode registry key," according to Microsoft. "This requires all Windows and non-Windows devices to use secure [Remote Procedure Call] with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device."

Managing Editor Scott Ferguson contributed to this report.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.