Microsoft said Monday that Iranian state-backed hackers are exploiting the Zerologon vulnerability in real-world hacking. A successful attack would enable hackers to take over servers known as domain controllers (DCs), which are at the heart of most enterprise networks, and give intruders complete control over their targets.
Microsoft said in a brief tweet today that the Iran attack was detected by the Microsoft Threat Intelligence Center (MSTIC) and had been going on for at least two weeks.
MSTIC linked the attacks to an Iranian hacking group that the company tracked down, known as MERCURY, but their MuddyWatter nicknames are better known.
The group is believed to be a contractor for the Iranian government and works under the orders of iran’s main intelligence and military unit, the Islamic Revolutionary Guard Corps.
According to Microsoft’s Digital Defense Report, the organization has historically targeted non-governmental organizations, intergovernmental organizations, government humanitarian aid and human rights organizations.
Nevertheless, Microsoft said the recent goals of MERCURY include “the goal of heavily involving refugees” and “network technology providers in the Middle East”.
Zerologon has been described by many as the most dangerous bug revealed this year. The bug is a vulnerability in Netlogon, a protocol used by Windows systems to authenticate Windows servers that run as domain controllers. The Zerogon vulnerability allows hackers to take over an unfeded domain controller, giving them complete control of a company’s internal network.
Attacks usually need to be carried out from an internal network, but remote attacks can also be carried out over the Internet if the domain controller is exposed to the Internet.
Microsoft released a patch of Zerogon (CVE-2020-1472) in August, but the first detailed article about the bug was released in September, delaying most attacks.
But when security researchers delayed releasing details and giving system administrators more time to patch, Zerologon’s weaponization proof-of-concept code was released almost on the same day as the details, triggering the first wave of attacks in a few days.
After the vulnerability was disclosed, the Department of Homeland Security gave federal agencies three days to patch or disconnect domain controllers from federal networks to prevent attacks, which the agency expected to arrive a few days later.
The MERCURY attack appears to have started about a week after the concept verification code was released, around the same time Microsoft began detecting the first Zerogon exploit attempt.