Security Intelligence
Loading table of contents...
Microsoft has confirmed that it is investigating a reported zero-day vulnerability in Windows that could allow threat actors to capture New Technology Lan Manager (NTLM) credentials from users of all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.
The flaw, which is yet to be assigned a CVE designation, can be exploited simply by tricking users into viewing, not opening, a specially crafted malicious file in File Explorer.
While the researchers who discovered the vulnerability are withholding full technical details until Microsoft provides an official patch, it is believed that the flaw allows the malicious file to force an outbound NTLM connection to a remote share.
This requires Windows to automatically provide the logged-in user’s NTLM hashes, which the threat actor can then crack and turn into plaintext usernames and passwords, enabling unauthorized authentication.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The researchers who discovered the flaw have released a free micropatch that aims to address the flaw until Microsoft releases an official patch. However, the micropatch could cause disturbances to legitimate NTLM networking, so it’s recommended users test the micropatch on non-critical devices before deploying it network-wide.
Source: Bleeping Computer
Analysis
NTLM hash capture, crack, and replay attacks have been a known tactic of criminal and state-sponsored threat actors over the last decade. Almost every publicly available penetration testing tool, such as Mimikatz and Impacket, has modules that support the extraction of NTLM hashes from memory or remote web requests.
In 2023, citing this abuse, Microsoft announced it would deprecate the NTLM protocol in future Windows 11 versions and rely instead on the more modern Kerberos authentication protocol. However, many systems still use NLTM and, if not configured properly, remain vulnerable to NTLM-based attacks.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in operating systems like Windows. Field Effect MDR users are automatically notified if a vulnerable version of Windows is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
NTLM hashes are typically transferred remotely via requests on port 445, which uses the Server Message Block (SMB) Protocol, a network file-sharing protocol that allows applications and systems to read, write, and request services from files and resources, like printers, on a network, widely used in Windows environments.
While SMB is quite useful for internal networks, it presents a threat when used externally since it inherently includes a user’s NTLM hash to access the requested resources. Therefore, organizations should ensure that external connections via port 445 are blocked, unless there is a compelling business reason not to do so.
Field Effect strongly recommends users of affected Windows versions update to the latest version as soon as Microsoft releases an official patch. In the meantime, users who wish to ensure their systems are as secure as possible should consider deploying the unofficial micropatch released by the researchers who discovered the flaw initially.
