Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors
Microsoft has released a warning concerning the Mercury APT group and their active exploitation of the Zerologon vulnerability in campaigns occurring over the past two weeks. Mercury APT is an Iranian nation-state threat actor leveraging the critical flaw to attack organizations, who have also been referred to as MuddyWater, Static Kitten, and Seedworm. The exploitation of the Zerologon bug can lead to an unauthenticated attacker obtaining the ability to compromise all Active Directory identity services.
Microsoft patched the vulnerability in August as part of its routine Patch Tuesday security updates, however, organizations who have not updated the software are at high risk for attack. The flaw stems from the Netlogon Remote Protocol, which is utilized to perform various tasks related to machine authentication on Windows domain controllers. Microsoft’s announcement about Mercury APT comes after proof-of-concept exploits for the flaws were posted on Github, pushing the Secretary of Homeland Security to issue a rare emergency directive demanding that federal agencies patch the flaw by late September.