On Monday, Microsoft said that Iranian cybercriminals are taking advantage of the Zerologon flaw in several hacking campaigns.
Successful attacks would let hackers take over servers called domain controllers (DC) that are the foci of most enterprise networks and allow interlopers to gain full control over their targets.
The company said that Microsoft’s Threat Intelligence Center (MSTIC) detected the attacks that have been going on for at least two weeks.
MSTIC associated the attacks to a group of Iranian hackers that the company tracks as MERCURY, but who are more extensively known under their monicker of MuddyWatter.
The group is supposed to be a contractor for the Iranian government working under instructions from the Islamic Revolutionary Guard Corps, Iran’s primary intelligence and military service.
However, Microsoft says that Mercury’s most recent targets included “a high number of targets involved in work with refugees” and “network technology providers in the Middle East.”
Zerologon was defined by many as the most perilous bug revealed this year. Exploiting the Zerologon bug can let hackers capture an unpatched domain controller, and integrally a company’s internal network.
Attacks typically need to be conducted from internal networks, but if the domain controller is shown online, they can also be conducted remotely over the internet.
The software behemoth issued patches for Zerologon (CVE-2020-1472) in August, but the first comprehensive write-up about this bug was published in September, deferring most of the attacks.