NTLM Relay Attack | Breaking Cybersecurity News | The Hacker News

Microsoft on Wednesday acknowledged that a newly disclosed critical security flaw in Exchange Server has been actively exploited in the wild, a day after it released fixes for the vulnerability as part of its  Patch Tuesday updates . Tracked as  CVE-2024-21410  (CVSS score: 9.8), the issue has been described as a case of privilege escalation impacting the Exchange Server. "An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability," the company  said  in an advisory published this week. "The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf." Successful exploitation of the flaw could permit an attacker to relay a user's leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user, Redmond added. The tech giant, in an update to its bulletin, revised...

A security flaw has been disclosed in Kyocera's  Device Manager  product that could be exploited by bad actors to carry out malicious activities on affected systems. "This vulnerability allows attackers to coerce authentication attempts to their own resources, such as a malicious SMB share, to capture or relay Active Directory hashed credentials if the 'Restrict NTLM: Outgoing NTLM traffic to remote servers' security policy is not enabled," Trustwave  said . Tracked as  CVE-2023-50916 , Kyocera, in an  advisory  released late last month, described it as a path traversal issue that enables an attacker to intercept and alter a local path pointing to the backup location of the database to a universal naming convention (UNC) path. This, in turn, causes the web application to attempt to authenticate the rogue UNC path, resulting in unauthorized access to clients' accounts and data theft. Furthermore, depending on the configuration of the environment, it cou...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

Microsoft has announced that it  plans  to eliminate NT LAN Manager ( NTLM ) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security. "The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM)," the tech giant said. "New features for Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center ( KDC ) for Kerberos." IAKerb enables clients to authenticate with Kerberos across a diverse range of network topologies. The second feature, a local Key Distribution Center (KDC) for Kerberos, extends Kerberos support to local accounts. First introduced in the 1990s, NTLM is a  suite of security protocols  intended to provide authentication, integrity, and confidentiality to users. It is a single sign-on (SSO) tool that relies on a challenge-response protocol that proves ...

A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder  NTLMv2 hashes  from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz. "In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang's  Start-CaptureServer PowerShell script , executing various system commands, and exfiltrating the retrieved data via Mockbin APIs," security researchers Niraj Shivtarkar and Avinash Kumar said. Nishang  is a framework and collection of PowerShell scripts and payloads for offensive security, penetration testing, and red teaming. The attacks leverage as many as five different infection chains, although they all leverage phishing emails containing ZIP archives as the starting point to infiltrate specific targets using geofencing techniques - NTLMv2 hash stealing infection...

Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability. Tracked as CVE-2023-23397 (CVSS score: 9.8), the  critical flaw  relates to a case of privilege escalation that could be exploited to steal NT LAN Manager (NTLM) hashes and stage a  relay attack  without requiring any user interaction. "External attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers' control," the company  noted  in an advisory released this month. "This will leak the  Net-NTLMv2 hash  of the victim to the untrusted network which an attacker can then relay to another service and authenticate as the victim." The vulnerability was resolved by Microsoft as part of its  Patch Tuesday updates  for March 2023, but not before Russia-based threat actors weaponized the flaw in attacks targeting gover...

A new kind of Windows NTLM relay attack dubbed  DFSCoerce  has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain. "Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay [Domain Controller authentication] to [Active Directory Certificate Services]? Don't worry MS-DFSNM have (sic) your back," security researcher Filip Dragovic  said  in a tweet. MS-DFSNM  provides a remote procedure call (RPC) interface for administering distributed file system configurations. The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources, effectively gaining an initial foothold i...

Microsoft on Tuesday rolled out fixes for as many as  74 security vulnerabilities , including one for a zero-day bug that's being actively exploited in the wild. Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release. These encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to  36 flaws  patched in the Chromium-based Microsoft Edge browser on April 28, 2022. Chief among the resolved bugs is  CVE-2022-26925  (CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority ( LSA ), which Microsoft describes as a "protected subsystem that authenticates and logs users onto the local system." "An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controlle...

A newly uncovered security flaw in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an  NTLM relay attack  and completely take over a Windows domain. The issue, dubbed " PetitPotam ," was discovered by security researcher Gilles Lionel, who shared technical details and proof-of-concept (PoC) code last week, noting that the flaw works by forcing "Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function." MS-EFSRPC  is Microsoft's Encrypting File System Remote Protocol that's used to perform "maintenance and management operations on encrypted data that is stored remotely and accessed over a network." Specifically, the attack enables a domain controller to authenticate against a remote NTLM under a bad actor's control using the MS-EFSRPC interface and share its authen...