Iranian APT MERCURY Exploits Zerologon in Persistent Cyber Campaigns

Microsoft reports that the Iranian APT group MERCURY (aka MuddyWater) is actively exploiting the Zerologon vulnerability (CVE-2020-1472) to compromise Active Directory services. Known for targeting Middle Eastern governments for data exfiltration, MERCURY has also exploited the SharePoint vulnerability (CVE-2019-0604) to implant web shells for persistent access. These attacks often involve Cobalt Strike payloads and lateral movement within networks, focusing on domain controllers. Despite patches released in 2020, exploitation attempts remain widespread, highlighting the need for robust patch management. MERCURY's activities highlight the ongoing threat to governments and other critical sectors in the Middle East.