Microsoft’s recent release of guidance to help organizations combat NTLM relay attacks comes in the wake of researchers uncovering a zero-day vulnerability in all versions of Windows Workstation and Server, from Windows 7 to Windows 11. The zero-day flaw, which enables attackers to access a user’s NTLM credentials simply by tricking them into opening a malicious file via Windows Explorer, poses a significant threat to user data security.
According to researchers at ACROS Security, the bug allows bad actors to compromise a user’s credentials with minimal effort, such as opening a shared folder or USB disk containing the malicious file. Mitja Kolsek, CEO of ACROS Security, emphasized the ease of exploitation by stating that viewing the Downloads folder where the file was automatically downloaded from an attacker’s website is all it takes for the credentials to be compromised.
In response to the zero-day vulnerability, Microsoft has confirmed that it will not be issuing a patch for several months, leaving organizations vulnerable to potential credential theft in the meantime. The severity of the bug has been classified as “Important,” falling just below the critical level, and a fix is expected to be rolled out in April. Microsoft has assured that it is aware of the issue and is working to protect its customers from exploitation.
This zero-day NTLM hash disclosure is not the first of its kind, as ACROS previously reported a similar bug related to Windows Themes spoofing, which also remains unpatched by Microsoft. The recurrence of such vulnerabilities highlights the ongoing challenges faced by the NTLM protocol in maintaining the security of user credentials.
NTLM, a legacy authentication protocol included in modern Windows systems for backward compatibility, has been repeatedly targeted by malicious actors due to its vulnerabilities. The method of NTLM relaying, where attackers intercept authentication requests and use them to access other servers or services, remains a popular tactic among cybercriminals. Microsoft’s updated guidance advises organizations to enable Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server to combat such attacks.
The company stresses the importance of implementing EPA, especially for Exchange Server, given its significant role in the NTLM threat landscape. Recent vulnerabilities like CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 have been exploited by attackers for NTLM coercion purposes, using Office documents and Outlook emails as entry points for launching attacks. Following Microsoft’s recommendations for mitigating NTLM-related vulnerabilities is crucial in safeguarding against potential security breaches.
While it remains unclear whether Microsoft’s latest guidance is directly linked to the zero-day disclosure by ACROS, experts advise organizations to adhere to these recommendations to minimize their risk exposure. In cases where immediate patching is not feasible, alternative solutions like the micropatches offered by ACROS Security through 0patch can provide temporary protection for vulnerable systems. Taking proactive measures to defend against NTLM-related threats is essential in safeguarding sensitive information and preventing unauthorized access to valuable data.