Zerologon, probably one of the most dangerous vulnerability spotted in the last few years, is reportedly been exploited in the wild by Iranian state-sponsored threat actors.
The bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller.
Classified as CVE-2020-1472, Zerologon can allow hackers to take over an unpatched domain controller, and inherently a company’s internal network.
Attacks usually need to be carried out from internal networks, but if the domain controller is exposed online, they can also be carried out remotely over the internet.
Microsoft has already issued patches for this threat back in August, but the details of the vulnerability weren’t publicly known until early September, thankfully delaying the inevitable exploits.
That said, it took only one day from the publishing of the full disclosure of the vulnerability to the first weaponized POC.
Mercury in action
Now as Microsoft Security Intelligence reports, Mercury, an Iranian APT, is actively exploiting the CVE with several campaigns tracked as far back as two weeks ago.
Mercury has close ties to the more famous Muddywater.
Its attacks appear to have begun around one week after the proof-of-concept code was published, and around the same time, Microsoft began detecting the first Zerologon exploitation attempts.
If the connections to its predecessor appear to be true, Mercury might follow the same m.o. with a focus on governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) and also a few other countries in nearby regions (Azerbaijan, Pakistan and Afghanistan).
MuddyWater attackers usually deploy a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell, to implement their attacks and complete their victim infiltration and data exfiltration.
Examples of such tools include multiple download/execute tools and RATs in C# and Python, SSH Python script, multiple Python tools for extraction of credentials, history and more.
And now they might just have developed the ultimate weapon!