Security News > 2020 > October > Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors
Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability, adding fuel to the fire as the severe flaw continues to plague businesses.
Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.
"MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit in active campaigns over the last 2 weeks," according to a Microsoft tweet on Monday evening.
Microsoft released a patch for the Zerologon vulnerability as part of its August 11, 2020 Patch Tuesday security updates.
"One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint to exploit remotely unpatched servers and then implant a web shell to gain persistent access and code execution," said Microsoft in an earlier analysis.
News URL
https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks (source)
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- Microsoft enforces defenses preventing NTLM relay attacks (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-08-17 | CVE-2020-1472 | Use of Insufficiently Random Values vulnerability in multiple products An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). | 0.0 |