On October 6, 2020, Microsoft's Threat Intelligence Center (MSTIC) tweeted that it had observed an Iranian state-sponsored group, codenamed as MERCURY by MSTIC, were seen actively trying to exploit the recently patched ZeroLogon vulnerability. Successful exploitation of the vulnerability would allow the attacker to hijack an enterprise’s domain controller (DC) servers. These servers often serve as the backbone of a network’s enterprise with any compromise potentially resulting in a complete takeover of the network. MSTIC noted that they have seen the group targeting this flaw for the last two weeks.
While Microsoft tracks the activity of the group under the codename MERCURY, they are better known by the InfoSec community as MuddyWater. It is believed that the group functions as a contractor under the orders of the Islamic Revolutionary Guard Corps. In Microsoft’s Digital Defence Report the group has primarily targeted NGOs, intergovernmental organizations, government humanitarian aid, and human rights organizations.
Recently though the group has been seen targeting organizations working with refugees as well as network technology providers within the Middle East. In a report published by TrendMicro researchers discovered that the group also utilized custom Android malware families as well as would use false flag tactics in the hope attacks would not be attributed to them but other known advanced persistent threat groups.
Much of what we know of the group stems from a Telegram leak that occurred in 2019, that helped researchers piece together how the group operates. In concluding, researchers for TrendMicro noted,
“Aside from the abovementioned findings, we also found Twitter and Github accounts that we believe are linked to MuddyWater. Researchers have made similar findings in the past. This discovery, as well as the exposure of their operations to the public due to the leak, shows that the threat actor group has poor operational security and lack diligence in covering their tracks.
However, the group also appears to be agile. One week after we published our November 2018 report on their use of base52 encoding, we found out that they modified the alphabet from 52 characters to 40, 45, and 48. In our opinion, this action is a result of our disclosure of their activities.” While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to be successful in compromising its targets over the last two years. This can be attributed to the continuous evolution of their schemes.”
For the most part, this conclusion still rings true today as the Zerologon vulnerability was only seen to be used by the group once proof-of-concept code had been released to the public after Microsoft had released a patch in August. According to Microsoft, the MuddyWater attacks appear to have begun around one week after this proof-of-concept code was published. This was roughly around the same time that other hackers were seen trying to exploit the vulnerability.
Commonly referred to as Zerologon, CVE-2020-1472, is a flaw found within the Netlogon Remote Protocol. The protocol itself is used to authenticate users against domain controllers. The flaw was rated as a 10, a rating reserved for the most severe of vulnerabilities but was not disclosed to the public until Microsoft had released a patch. It was not until Secura published their detailed report on the flaw that the public knew exactly what the problem was. In summary, an attacker looks to exploit a weak cryptographic algorithm used in the Netlogon authentication process.
If successfully done the attacker could impersonate the identity of any computer on a network when trying to authenticate against the domain controller. In turn, this would allow the attacker to disable security features and change a computer's password on the domain controller's Active Directory, a database of all computers joined to a domain and their passwords.
How the cryptographic algorithm is broken is rather technical and beyond the scope of this article, but the simple version involves the addition of zeros, hence the nickname ZeroLogon, to the authentication parameters. The attack is incredibly quick to perform with researchers only needing a few seconds to complete the attack and allows for the compromise of the entire network. Despite this, exploiting the flaw requires the attacker to already have access to the network as the exploit needs to be done from an internal network unless the DC is Internet-facing. Secura noted,
“This attack has a huge impact. It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”
For ransomware gangs, this kind of access is generally what is dreamed about. Being able to compromise the network and being able to spread to other machines at will to encrypt data effectively means game over for the victim. With ZeroLogon it is feared that this process is made simpler. This kind of privileged access to a network is not just strived for by ransomware gangs but also state-sponsored groups for either cyber espionage or more destructive purposes. While several patches have been released, Secura has released a Python script that can be used by network administrators to determine if their network has been patched correctly, effectively preventing the flaw from being exploited.
DHS and “Unacceptable Risk”
Despite the severity of the bug and a patch being available for some time, historically enterprises have been slow to patch systems until it is too late. This provides attacks with several targets. To mitigate this the US Department of Homeland Security’s (DHS) cyber division issued a directive ordering federal civilian agencies to install a security patch for Windows Servers, stating that the flaw posed an “unacceptable risk” to federal networks. The directive is a rarely used legal mechanism that allows US officials to force federal bodies to comply with its contents. According to the DHS the decision to enact the directive came down to the following:
- the availability of the exploit code in the wild increasing likelihood of any unpatched domain controller being exploited;
- the widespread presence of the affected domain controllers across the federal enterprise.
- the high potential for a compromise of agency information systems.
- the grave impact of a successful compromise; and
- the continued presence of the vulnerability more than 30 days since the update was released.
While the DHS directive only applies to US federal civilian agencies, it is a warning to other enterprise networks as to the danger posed by an attacker successfully exploiting the flaw. Given MuddyWater's predilection to target a wide range of organizations ensuring that networks used by these organizations are patched correctly can be vital. In the past, we have seen other Iranian state-sponsored groups quickly moving to take advantage of severe vulnerabilities. What is done on the target network once a compromise occurs is up to the group and orders received by their controlling authority. Cyber espionage activities are always a favorite, but some Iranian state-sponsored operations can be more destructive.
In the past, these groups have been known to use wipers. Nasty pieces of malware are designed to destroy data almost in its entirety. These are deployed for destructive purposes or to hind traces that the attacker was on the network or infected machine. For years Iran has been one of the more prolific proponents of using state-sponsored hacking groups to support their geopolitical goals and undermine their perceived enemies. In 2019, Christopher Krebs, the director of the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), summarised the countries cyber capabilities as,
“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe…Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”