Fraud Management & Cybercrime
Fraud Risk Management

Micorosoft Says Other Hackers Are Sending Fake Software Updates

Iranian Hackers Exploiting 'Zerologon' Flaw

Microsoft is warning that hackers with connections to Iran, as well as other threat actors, are attempting to exploit a critical vulnerability in Windows Server dubbed Zerologon, for which it has issued a partial patch.

Microsoft’s security teams have found that a nation-state hacking group the company calls Mercury, which has apparent ties to Iran, has been trying to exploit the unpatched Zerologon vulnerability for the past two weeks. The vulnerability, which is tracked as CVE-2020-1472, has been given a CVSS score of 10 – the most critical.

See Also: Rapid Digitization and Risk: A Roundtable Preview

Some of the other threat actors also attempting to exploit Zerologon are sending messages disguised as software updates to download malicious code on devices to connect to a command-and-control server, Microsoft says.

Since August, Microsoft has warned its users to apply a partial patch that the company issued for the Zerologon vulnerability. In September, the U.S. Cybersecurity and Infrastructure Security Agency and other security firm began issuing warnings about the flaw, noting that threat actors were looking to take advantage of unpatched systems (see: Warning: Attackers Exploiting Windows Server Vulnerability).

Concerns About Iran

The Iran-linked Mercury advanced persistent threat group, which is also known as MuddyWater, Static Kitten and Seedworm, is primarily known to target victims in the Middle East, but it has also launched espionage campaigns against organizations in the U.S. and India, according to security reports.

The group, which has been active since 2017, uses a wide variety of tactics and tools against its targets (see: MuddyWater APT Group Upgrades Tactics to Avoid Detection).

Brandon Hoffman, CISO at security firm Netenrich, notes that Iranian hackers have gotten better at exploiting vulnerabilities, including Zerologon.

“Over the years, the Iranians have almost specialized in taking advantage of remote technology vulnerabilities, most notably the Citrix issues last year,” Hoffman tells Information Security Media Group. “They are also notorious for targeting Microsoft products at the same time, although targeting Microsoft certainly holds no exclusivity.”

Other Threats

The fake messages other threat actors are sending about software updates can “lead to [User Account Control] bypass and use of wscript.exe to run malicious scripts,” according to Microsoft.

Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, noted on Twitter that this type of exploit can allow threat actors to infect endpoints within a vulnerable organization, which can then lead to attacks such as ransomware.

Warnings About Zerologon

The Zerologon vulnerability affects Windows Server’s Netlogon Remote Protocol, or MS-NRPC – an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft’s initial alert.

Microsoft issued the first phase of the patch on Aug. 11 to partially mitigate the vulnerability. It plans to issue a second patch Feb. 9, 2021, which will handle the enforcement phase of the update. In September, the company issued an advisory to clarify how the initial patch should be applied (see: Microsoft Issues Updated Patching Directions for ‘Zerologon’).

“The [domain controllers] will now be in enforcement mode regardless of the enforcement mode registry key,” according to Microsoft. “This requires all Windows and non-Windows devices to use secure [Remote Procedure Call] with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.”

Managing Editor Scott Ferguson contributed to this report.

Source link

Is your business effected by Cyber Crime?

If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.

Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7.

Europe +31558448040
UK +44 20 8089 9944
ASIA +85239733884