Network administrators are urged to patch the ZeroLogon flaw as quickly as possible, which allows an attacker to take control of an entire Microsoft network domain. According to the publisher, Iranian hacker group Mercury aka MuddyWater exploited this vulnerability in cyber espionage operations that have taken place over the past two weeks.
MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78
– Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020
ZeroLogon is a flaw in Microsoft’s Netlogon remote access protocol. A cryptographic bug makes it possible to impersonate any user of a domain, and in particular the domain controller itself. This allows you to obtain administrator privileges on all machines on the network. A first patch was released on August 11, but many companies haven’t installed it yet. A second patch should arrive in early 2021 to provide more protection.
Mercury primarily targets government agencies in Asian countries, but also makes field trips to the public and private sectors in Europe and North America.