Key Takeaways:
Researchers at Acros Security recently discovered a critical Windows zero-day vulnerability affecting all supported versions of the operating system. In response, Microsoft has issued new guidelines to help administrators proactively mitigate NTLM relay attacks within enterprise networks.
Windows NTLM (New Technology LAN Manager) is a set of security protocols designed to authenticate users and safeguard their actions. It uses a challenge-response mechanism to verify identities without transmitting passwords over the network. In June 2023, Microsoft officially deprecated NTLM and now advises customers to adopt the Negotiate protocol, which prioritizes the more secure Kerberos system, only defaulting to NTLM when absolutely necessary.
According to researchers from Acros Security, the Windows zero-day vulnerability enables hackers to steal NTLM credentials simply by tricking a user into viewing an infected folder. This flaw impacts all Windows versions, from Windows 7/Server 2008 R2 to Windows 11 Version 24H2 and Windows Server 2022.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” explained Mitja Kolsek, CEO of Acros Security.
Fortunately, this NTLM authentication flaw has not yet been exploited in the wild. Microsoft has classified the vulnerability as “Important” in severity and plans to release a fix in April.
Microsoft noted that NTLM relaying is a common technique used in identity compromise attacks. The company highlighted three specific vulnerabilities (CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563) that attackers have exploited to coerce NTLM authentication.
Microsoft has updated its guidance to help enterprise administrators safeguard their organizations against NTLM-related vulnerabilities. It’s highly recommended to enable Extended Protection for Authentication (EPA) by default on Exchange Server, LDAP, and AD CS.