Microsoft says its Microsoft's Threat Intelligence Center (MSTIC) team has detected real-world cyber attacks that are actively exploiting the Windows Zerologon vulnerability. The attacks, which the company has attributed to the Iranian state-sponsored hacker team known as MERCURY or Muddy Water, have been occurring for the last two weeks.
“MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching,” Microsoft said in a tweet.
The Muddy Water APT group, which has been active since 2017, primarily targets Middle Eastern nations, although the hackers have been observed targeting victims in India and the US. Typically, the group compromises their targets via spear phishing attacks that deliver the POWERSTATS backdoor, which can receive commands from the attackers, enabling it to exfiltrate files from the system it is running on, execute additional scripts, delete files, and more.
The Zerologon vulnerability (CVE-2020-1472) is a critical elevation of privilege issue which affects the Netlogon remote protocol, a legacy protocol that is still supported on all Windows servers to allow them to work in domain environment. The vulnerability could be used by an attacker with access to a Windows Domain Controller to take over the Windows domain. CVE-2020-1472 impacts systems running Windows Server 2008 R2 and later.
Last month, the US Department of Homeland Security (DHS) has issued an emergency directive ordering US federal agencies to immediately patch the Zerologon vulnerability. At the time, Microsoft has also warned users of the Zerologon vulnerability being exploited in the wild.