Earlier this week, during Patch Tuesday Update, Microsoft released patches for some critical vulnerabilities that were affecting all versions of Windows operating system, including critical flaws for Windows 10 for enterprises. Researchers at Preempt have analyzed and identified two vulnerabilities within the Microsoft Windows NT LAN Manager (NTLM) security protocols which could lead to unauthorized credential use, password cracking and, potentially, domain compromise. The company initially discovered and reported these two critical vulnerabilities to Microsoft in April 2017. For those who aren’t familiar with the terminology, NT LAN Manager (NTLM) is a suite of Microsoft security protocols enabling authentication, integrity and confidentiality to users, replacing the older Windows LAN Manager (LANMAN) platform. What we know about these two vulnerabilities 1. The first NTLM vulnerability, known as CVE-2017-8563, relates to unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay. LDAP is supposed to protect against both Man-in-the-Middle (MitM) attacks and credential forwarding, but it fails to properly do this. Thus, when Windows protocols use the Windows Authentication API (SSPI) – allowing downgrade of an authentication session to NTLM – your computer can be exposed if connected to an infected machine (SMB, WMI, SQL, HTTP). If a vulnerable system has a domain admin account enabled, it then becomes victim to attackers who can create an administrator account and take full control over the attacked network. 2. The second NTLM vulnerability, which doesn’t have a CVE identification, refers to the Remote Desktop Protocol (RDP) Restricted-Admin mode and lets “users to connect to a remote machine without volunteering their password to the remote machine that might be compromised”, said the Preempt research team. This means that every cyber attack performed with NTLM, such as credential relaying and password cracking, could be carried out against RDP Restricted-Admin. Researchers from Preempt also added that once an admin connects with protocols such as RDP Restricted-Admin, HTTP or File Share (SMB), a cyber criminal can create a fake domain admin, proving that the NTLM security protocol is vulnerable and can put both individuals and organizations at risk of losing their sensitive data. Preempt also created a video demonstration to briefly show how these two different NTLM vulnerabilities work and how they could be exploited. These vulnerabilities reported by Preempt might have similarities to WannaCry and Petya ransomware and could lead to another cyber attack that we may hear in the upcoming period. It might be a matter of days or weeks until a new ransomware could strike, so you need to take all the precautions and install all the latest Windows updates as soon as possible.

UPDATE July 17, 2017

There is also information about other two hacking tools which can lead to data leakage and further compromise. Wikileaks Vault-7 revealed two new CIA hacking tools: BothanSpy and Gyrfalcon, both of which can be used to exploit the Windows and Linux operating systems to steal SSH credentials. BothanSpy is a tool that attacks the SSH client program Xshell with a focus on Windows computer system, leaving users without their credentials (usernames and passwords).  As for Gyrfalcon, it  doesn’t only steal user credentials of active SSH sessions, but can also collect full or partial OpenSSH session traffic. To better understand how a cyber attack works and how the cybercriminals discover the unpatched vulnerabilities in a piece of software, we strongly recommend watching the graphic below.   We believe it’s essential to understand that proactive security measures against unknown threats have long term benefits for both individuals and organizations and that you need to take it seriously in order to avoid losing sensitive data. Once again, we emphasize the fact that the best protection against these criminal attacks remains proactive security mixed with basic cyber security education.

What is Ransomware
2020.12.07 SLOW READ

What is Ransomware – 15 Easy Steps To Protect Your System [Updated 2020]

Cybercriminals can attack you in numerous ways
2017.02.21 SLOW READ

How Every Cyber Attack Works – A Full List

Software Vulnerabilities

BEWARE: Cyber Criminals are Having a “Field Day” with Software Vulnerabilities [Updated]

Anonymous Hackers on March 15, 2020 at 7:32 pm


very fascinating, good job and thanks for sharing such a good blog site.

Nice articles such an informative post which draw our attention towards windows malware systems

Hi there! Many thanks for your kind words!

Nice posting. windows Defender didn’t accomplish that properly in was person-based malware. In three.6% of malware instances, Windows Defender offers users the option to execute the malware as opposed to outright blocking it.

Nice articles such an informative post which draw our attention towards the loopholes in windows malware systems.

Nice posting. windows Defender didn’t accomplish that properly in was person-based malware. In three.6% of malware instances, Windows Defender offers users the option to execute the malware as opposed to outright blocking it.

This is the main reason why people in the USA always prefer iOS instead of windows. User data in Windows are highly unsecured. I suggest everybody switch iOS.

Very useful information on security. I learned alot.

Very good article. Being in the computer repair business for almost 20 years, I have seen the progression of security threats. In my opinion the average computer user is the most vulnerable then they have ever been.

There are many vulnerabilities related to the Microsoft which we all are facing in our system. After reading your post everyone will get to understand all the vulnerabilities and the issues coming in this. It is great.

Hello and thank you for your feedback! Happy to know this article was helpful!

Ƭhank yyou fߋr the information. It helped alot!

Patrick Vivignis on July 19, 2017 at 6:59 pm

5 stars for heimdal security

Leave a Reply

Your email address will not be published. Required fields are marked *