In digital terms, the Middle East nations are under heavy fire, as Iranian state-sponsored hackers target its domain controllers for over a long time with MuddyWater. However, hackers do not stop there. It has also been trying to exploit Microsoft's recent patch called the 'Zerologon' discovered to be vulnerable and is under attack for atleast two weeks already.
Hackers have stepped up their game as it targets domain controllers; successful attempts give them full control over their targets and their vast array of networks. Domain Controllers (DC) are the very core of an enterprise network, much like a nucleus is to a cell, considered to be vital and essential.
Zerologon Exploitation, Iranian Hacker's Hole in the Ace
According to ZD Net, Microsoft has been observing the attack for quite some time now as its 'Netlogon' or CVE-2020-1472 was believed to be vulnerable and viewed as the 'weak link' within the system, open for an attack. Microsoft's MSTIC detected the attack and has been closely monitoring it for two weeks now.
MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78 — Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020
The Zerologon system was a recent patch from Microsoft, and can now be detected by the native defense system, Microsoft Defender. The Iranians, identified by Microsoft as "MERCURY," are state-sponsored 'nation-actors' responsible for the most recent attack. They are also known to be the hackers behind 'MuddyWater' as well. Zerologon is one of the most dangerous bugs in Microsoft's history, particularly under Netlogon. This bug enables malicious entities to bypass a system and use its domain controller. Netlogon is a Windows system protocol that authenticates a server to use a DC.
Domain Controller's Vulnerability: Microsoft and Other agencies' move
When the bug in CVE-2020-1472 Netlogon's systems was discovered, the United States government gave three days to patch domain controllers and shut down its systems temporarily. This temporary shutdown helped in tightening the system. However, it did not stop the attacks from coming and resuming.
Microsoft 365 customers can refer to the threat analytics report we published in Microsoft Defender Security Center. The threat analytics report contains technical details, mitigations, and detection details designed to empower SecOps to detect and mitigate this threat. — Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020
MERCURY's attacks came as Microsoft published the proof-of-concept code to the public. The Redmond-based company's effort to halt and catch the hackers are now underway as it closely monitors the exploits for almost two weeks now.
MuddyWater and its other designation, MERCURY, are usually targetting Middle Eastern nations that list as threats to the Iranian government. The group is also targetting India and the United States. MuddyWater uses the slowly evolving Powershell-based first stage backdoor that is known as "POWERSTATS."
Microsoft's MSTIC: Key In Detecting MERCURY and Zerologon Exploits
Microsoft's Threat Intelligence Center (MSTIC) is the company's first response and technical team behind every attack forcing its way into their systems. The technology and software developer company has been trying to let the hackers go into its systems, observing them, and catching at the right moment.
The company is also using a 'lab-based' detection procedures with its methods initially tested in a controlled environment within the company. The Microsoft Defender is then harnessed to be a useful tool to ward off the hackers and their attempt to enter the system.
ALSO READ: How to ensure your website is safe for users: 5 tips for every business website
This article is owned by Tech Times
Written by Isaiah Alonzo
