Microsoft announced yesterday that Iranian hackers are taking advantage of the Zerologon error to execute hacking campaigns. Successful attacks would allow hackers to take over servers who are known as auditors domain, which are the core elements of most corporate networks. This way, hackers can gain complete control over their targets. The attacks carried out by Iranian hackers were detected by Microsoft Threat Intelligence Center (MSTIC), with the tech giant stating in a relevant tweet that these have been going on for at least two weeks.
MSTIC connected them attacks with a group of Iranian hackers known as MickyWatter. However, Microsoft has given it the code name "MERCURY". The group is believed to be working for the Iranian government, under the command of the Islamic Revolutionary Guard Corps, its main intelligence and military service. Iran.
According to Digital Defense Report Microsoft, this team has targeted NGOs, intergovernmental organizations, government agencies providing humanitarian aid and human rights organizations. However, Microsoft says Mercury's latest targets were, among other things refugee organizations and network technology providers in the Middle East.
Zerologon has been described as the most dangerous bug revealed in 2020 so far. it is about a vulnerability on Netlogon, the protocol used by the systems Windows for authentication against a Windows server that acts as a domain controller.
According to BleepingComputer, exploiting the Zerologon error can allow hackers to take over an uncontrolled domain controller and consequently the internal network of a target organization. Attacks usually have to be carried out from internal networks, but if the domain controller is exposed to the Internet, they can also be carried out remotely over the Internet.
Microsoft released updates last August code for the Zerologon vulnerability identified as CVE-2020-1472. However, the first detailed wording on this error was published in September, delaying most of the attacks.
Although security researchers delayed publishing the details to give system administrators more time to make corrections, the proof-of-concept code for Zerologon was released almost the same day as the detailed draft, triggering a wave of attacks within days.
Following the revelation of the error, the Ministry of Homeland Security of USA (DHS) gave to the federal services three days to correct domain controllers or disconnect them from federal networks, in order to prevent attacks, which the company expects to happen - and they did, days later.
The MERCURY attacks are estimated to have started about a week after the code was released, and around the same time, Microsoft began detecting the first attempts to exploit Zerologon.