Support for Ukraine



Blog Archive



Microsoft says Iranian hackers are exploiting the Zerologon vulnerability

Full Story Blog Post Tuesday, October 6, 2020 in Security   View No Comments No Comments
Security
Microsoft links back the attacks to an Iranian hacker group known as Mercury, or MuddyWater.

Microsoft said on Monday that Iranian state-sponsored hackers are currently exploiting the Zerologon vulnerability in real-world hacking campaigns.

Successful attacks would allow hackers to take over servers known as domain controllers (DC) that are the centerpieces of most enterprise networks and enable intruders to gain full control over their targets.

The Iranian attacks were detected by Microsoft's Threat Intelligence Center (MSTIC) and have been going on for at least two weeks, the company said today in a short tweet.
MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78

— Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020
MSTIC linked the attacks to a group of Iranian hackers that the company tracks as MERCURY, but who are more widely known under their monicker of MuddyWatter.

The group is believed to be a contractor for the Iranian government working under orders from the Islamic Revolutionary Guard Corps, Iran's primary intelligence and military service.

According to Microsoft's Digital Defense Report, this group has historically targeted NGOs, intergovernmental organizations, government humanitarian aid, and human rights organizations.

Nonetheless, Microsoft says that Mercury's most recent targets included "a high number of targets involved in work with refugees" and "network technology providers in the Middle East."

zdnet.com