A brand new zero-day vulnerability in NTLM found by researchers at 0patch permits attackers to steal NTLM credentials by having a consumer view a specifically crafted malicious file in Home windows Explorer — no want for the consumer to open the file. These password hashes can be utilized for authentication relay assaults or for dictionary assaults on the password, each for id takeover.
NTLM refers to a collection of previous authentication protocols from Microsoft that present authentication, integrity, and confidentiality to customers. Whereas NTLM was formally deprecated as of June, our analysis reveals that 64% of Energetic Listing consumer accounts recurrently authenticate with NTLM — proof that NTLM remains to be broadly used regardless of its identified weaknesses.
The flaw is exploitable even in environments utilizing NTLM v2, making it a big danger to enterprises that haven’t but moved to Kerberos and are nonetheless counting on NTLM. Contemplating Microsoft could not patch this situation for some time, enterprise defenders ought to take steps to mitigate the vulnerability of their environments. This Tech Tip outlines how dynamic entry insurance policies, a couple of hardening steps, and multifactor authentication (MFA) may help restrict makes an attempt to take advantage of this vulnerability. Upgrading the protocol, the place doable, may eradicate the difficulty utterly.
What Is the NTLM Vulnerability?
When a consumer views a malicious file in Home windows Explorer — whether or not by navigating to a shared folder, inserting a USB drive containing the malicious file, or simply viewing a file within the Downloads folder that was robotically downloaded from a malicious Internet web page — an outbound NTLM connection is triggered. This causes Home windows to robotically ship NTLM hashes of the at present logged-in consumer to a distant attacker-controlled share.
These NTLM hashes can then be intercepted and used for authentication relay assaults and even dictionary assaults, granting attackers unauthorized entry to delicate techniques. Attackers may doubtlessly use the uncovered passwords to entry the group’s software-as-a-service (SaaS) surroundings as a result of excessive charges of synced customers.
The difficulty impacts all Home windows variations from Home windows 7 and Server 2008 R2 as much as the newest Home windows 11 24H2 and Server 2022.
The basic downside with NTLM lies in its outdated protocol design. NTLM transmits password hashes as an alternative of verifying plaintext passwords, making it weak to interception and exploitation. Even with NTLM v2, which makes use of stronger encryption, the hashes can nonetheless be captured and relayed by attackers. NTLM’s reliance on weak cryptographic practices and lack of safety in opposition to relay assaults are key weaknesses that make it extremely exploitable. Furthermore, NTLM authentication doesn’t assist fashionable safety features, akin to MFA, leaving techniques open to a wide range of credential theft methods, akin to pass-the-hash and hash relaying.
What Defenders Have to Do
To mitigate this vulnerability, Microsoft has up to date earlier steerage on tips on how to allow Prolonged Safety for Authentication (EPA) on LDAP, Energetic Listing Certificates Providers (AD CS), and Change Server. On Home windows Server 2022 and 2019, directors can manually allow EPA for AD CS and channel binding for LDAP. There are scripts supplied by Microsoft to activate EPA manually on Change Server 2016. The place doable, replace to the newest Home windows Server 2025 because it ships with EPA and channel binding enabled by default for each AD CS and LDAP.
Some organizations should still be depending on NTLM on account of legacy techniques. These groups ought to take into account extra authentication layers, akin to dynamic risk-based insurance policies, for shielding current NTLM legacy techniques in opposition to exploitations.
Harden LDAP configurations. Configure LDAP to implement channel binding and monitor for legacy shoppers that will not assist these settings.
Examine impression on SaaS. If you’re not sure whether or not there are purposes or shoppers in your surroundings that depend on NTLMv2, you need to use Group Coverage to allow the Community Safety: Prohibit NTLM: Audit incoming NTLM visitors coverage setting. This won’t block NTLMv2 visitors however will log all makes an attempt to authenticate utilizing NTLMv2 within the Operations Log. By analyzing these logs, you may determine which shopper purposes, servers, or companies nonetheless depend on NTLMv2, so you may make focused changes or updates.
Utilizing Group Coverage to restrict or disable NTLM authentication by way of the Community Safety: Prohibit NTLM setting will cut back the chance of fallback situations the place NTLM is unintentionally used.
Monitor SMB visitors. Enabling SMB signing and encryption may help stop attackers from impersonating legit servers and triggering NTLM authentication. Blocking outbound SMB visitors to untrusted networks can even cut back the chance of NTLM credential leakage to rogue servers. Implement community monitoring and alerting for uncommon SMB visitors patterns, notably outbound requests to unknown or untrusted IP addresses.
Go away NTLM behind. NTLM has been deprecated. Directors ought to audit NTLM utilization to determine which techniques nonetheless depend on NTLM. Organizations ought to prioritize transitioning these techniques away from NTLM to extra fashionable authentication protocols, akin to Kerberos. As soon as a extra fashionable protocol is in place, implement MFA so as to add an extra layer of safety.
Taking these steps will assist organizations tackle the basic flaws in NTLM and enhance their safety posture.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24007991/acastro_STK082_qualcomm_01.jpg "Qualcomm wins a legal battle over Arm chip licensing")
