In recent week, we have been following the Zerologon (CVE-2020-1472) vulnerability on Microsoft Windows. Described as one of the most dangerous bugs ever, Microsoft and third-parties have been scrambling to fix the flaw. However, Microsoft now says an Iranian state actor has found an exploit for the bug.
According to the company, an advanced persistent threat (APT) group know as MERCURY has been exploiting the bug. The actor has a reputation for going after government agencies in the Middle East.
“MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,” according to a tweet from Microsoft this week.
Zerologon gives attackers the ability to take control of Windows Servers. It is an elevation of privilege flaw found in Netlogon, a Microsoft process that authenticates users against domain controllers. Microsoft deems the flaw extremely dangerous, rating it 10/10 in terms of severity.
It is also notable for working quickly, something that makes even more problematic. In fact, Zerologon can infiltrate an enterprise system in three seconds or less. Attackers could also use it to change passwords and relatively easily take over a whole organization’s network.
MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78
— Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020
Fixing the Problem
As we reported initially, Microsoft has already sent out a patch for the flaw. This patch was supplemented a week later by two third-party patches. 0patch issued a fix saying Microsoft’s does not work on all systems. File sharing utility Samba sent out a patch for its own service.
Microsoft is currently rolling out a fix and enterprise customers are strongly advised to install it. However, the company will ramp up the patch during the first quarter of 2021. The company says another “enforced” patch will be sent out during this time.
However, now that Zerologon is in the wild the threat it poses has taken on a new level of danger.