This Cybersecurity Threat Advisory highlights a new Microsoft vulnerability that attackers are actively exploiting to steal NTLM (NT LAN Manager) hashes. Read the full article to learn the severity of the threat and recommendations to mitigate the organization’s risks.
What is the threat?
The threat revolves around the compromise of NTLM hashes. Attackers are exploiting this flaw to leak NTLM hashes, which are cryptographic representations of user passwords. This process is facilitated by a new Microsoft Outlook vulnerability, CVE-2023-35636. It enable attackers to steal NTLM hashes through malicious actions in Outlook, Windows File Explorer, and related programs.
Why is it noteworthy?
This threat is significant due to its potential to compromise user credentials, which can be used for other attacks. The exploitation of widely used applications like Microsoft Outlook and Windows File Explorer makes it particularly concerning, as these are integral components of many organizations’ communication and file-sharing systems. For instance: CVE-2023-35636 represents an attack on Microsoft Outlook’s calendar sharing feature. In this exploit, the addition of two headers to an email prompts Outlook to share its content and communicate with a specified server, presenting a chance to intercept an NTLM v2 hash. Successful attacks could lead to unauthorized access, data breaches, and even lateral movement within networks.
What is the exposure or risk?
Attackers commonly employ NTLM v2 hashes in two specific types of attacks: offline brute-force attacks and authentication relays. In an offline brute-force attack, the adversary obtains a copy of the user’s password NTLM v2 hash and utilizes a computer to systematically generate various passwords. These passwords are then tested one by one against the hash until a matching password is identified. Organizations face a heightened risk of unauthorized access and data breaches. The compromise of NTLM hashes allows attackers to impersonate users, gaining unauthorized access to sensitive information and systems. Furthermore, the potential for lateral movement within networks increases the scope and severity of the threat.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact on NTLM hash leaks:
- Promptly apply security patches provided by Microsoft to address the vulnerabilities in Outlook and related programs.
- SMB signing is a security measure designed to safeguard SMB traffic against tampering and man-in-the-middle attacks. It functions by digitally signing every SMB message, ensuring that any attempt by an attacker to alter an SMB message will be detectable by the recipient.
- Educate users about phishing attacks and social engineering tactics that attackers may use to exploit the NTLM hash leak vulnerability.
- Implement MFA as an extra layer of security, even if NTLM hashes are compromised.
- Implement network segmentation to limit lateral movement in case of a successful attack, isolating critical systems from compromised ones.
- Regularly monitor and audit network activities to detect and respond to suspicious behavior associated with NTLM hash leak attacks.
- Stay vigilant, update security measures, and educate users to effectively protect against this emerging threat.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.helpnetsecurity.com/2024/01/22/attackers-steal-ntlm-hashes/
- https://www.securityweek.com/new-ntlm-hash-leak-attacks-target-outlook-windows-programs/
- https://www.varonis.com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes#:~:text=Varonis%20Threat%20Labs%20discovered%20a%20new%20Outlook%20vulnerability%20(CVE%2D2023,)%2C%20and%20Windows%20File%20Explorer
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.