Microsoft warns that the MERCURY APT has been actively exploiting CVE-2020-1472 in campaigns for the past two weeks.
Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.
The advanced persistent threat (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically targeted government victims in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.
“MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,” according to a Microsoft tweet on Monday evening.
Microsoft released a patch for the Zerologon vulnerability (CVE-2020-1472) as part of its August 11, 2020 Patch Tuesday security updates. The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). As previous reported, the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.
Then, earlier in September, the stakes got higher for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on Github. This spurred the Secretary of Homeland Security to issue a rare emergency directive, ordering federal agencies to patch their Windows Servers against the flaw by Sept. 21.
Microsoft’s alert also comes a week after Cisco Talos researchers warned of a spike in exploitation attempts against Zerologon.
MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78
Microsoft did not reveal further details of the MERCURY active exploitations in terms of victimology; however, a graph on its website shows that exploitation attempts (by attackers and red teams in general) started as early as Sept. 13 and have been ongoing ever since.
“One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution,” said Microsoft in an earlier analysis. “Following the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the Zerologon exploit.”
Microsoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an “enforcement phase.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.
Hundreds of U.S. organizations on Thursday received emails purporting to come from the Democratic National Committee, in a new politically charged Emotet spear-phishing attack.
Cybercriminals set up three different CAPTCHAs that Office 365 targets must click through before the final phishing page.
In addition to Windows and Linux machines, a new variant of the malware now targets Mac and Android devices.
A campaign that injects #malware into the #Windows Error Reporting service to evade detection is potentially the wo… https://t.co/Lp2vkEecnp
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
Vulnerability, Computer security, Microsoft Corporation, Advanced persistent threat, Exploit, Cyberattack
World news – US – Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors