Critical Vulnerabilities in Windows Leave Computers Exposed to New Attacks
What You Need to Know About Vulnerabilities Found in Microsoft Windows
Earlier this week, during Patch Tuesday Update, Microsoft released patches for some critical vulnerabilities that were affecting all versions of Windows operating system, including critical flaws for Windows 10 for enterprises.
Researchers at Preempt have analyzed and identified two vulnerabilities within the Microsoft Windows NT LAN Manager (NTLM) security protocols which could lead to unauthorized credential use, password cracking and, potentially, domain compromise.
The company initially discovered and reported these two critical vulnerabilities to Microsoft in April 2017.
For those who aren’t familiar with the terminology, NT LAN Manager (NTLM) is a suite of Microsoft security protocols enabling authentication, integrity and confidentiality to users, replacing the older Windows LAN Manager (LANMAN) platform.
What we know about these two vulnerabilities
1. The first NTLM vulnerability, known as CVE-2017-8563, relates to unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay. LDAP is supposed to protect against both Man-in-the-Middle (MitM) attacks and credential forwarding, but it fails to properly do this.
Thus, when Windows protocols use the Windows Authentication API (SSPI) – allowing downgrade of an authentication session to NTLM – your computer can be exposed if connected to an infected machine (SMB, WMI, SQL, HTTP).
If a vulnerable system has a domain admin account enabled, it then becomes victim to attackers who can create an administrator account and take full control over the attacked network.
2. The second NTLM vulnerability, which doesn’t have a CVE identification, refers to the Remote Desktop Protocol (RDP) Restricted-Admin mode and lets “users to connect to a remote machine without volunteering their password to the remote machine that might be compromised”, said the Preempt research team.
This means that every cyber attack performed with NTLM, such as credential relaying and password cracking, could be carried out against RDP Restricted-Admin.
Researchers from Preempt also added that once an admin connects with protocols such as RDP Restricted-Admin, HTTP or File Share (SMB), a cyber criminal can create a fake domain admin, proving that the NTLM security protocol is vulnerable and can put both individuals and organizations at risk of losing their sensitive data.
Preempt also created a video demonstration to briefly show how these two different NTLM vulnerabilities work and how they could be exploited.
These vulnerabilities reported by Preempt might have similarities to WannaCry and Petya ransomware and could lead to another cyber attack that we may hear in the upcoming period. It might be a matter of days or weeks until a new ransomware could strike, so you need to take all the precautions and install all the latest Windows updates as soon as possible.
UPDATE July 17, 2017
There is also information about other two hacking tools which can lead to data leakage and further compromise.
Wikileaks Vault-7 revealed two new CIA hacking tools: BothanSpy and Gyrfalcon, both of which can be used to exploit the Windows and Linux operating systems to steal SSH credentials.
BothanSpy is a tool that attacks the SSH client program Xshell with a focus on Windows computer system, leaving users without their credentials (usernames and passwords). As for Gyrfalcon, it doesn’t only steal user credentials of active SSH sessions, but can also collect full or partial OpenSSH session traffic.
To better understand how a cyber attack works and how the cybercriminals discover the unpatched vulnerabilities in a piece of software, we strongly recommend watching the graphic below.
We believe it’s essential to understand that proactive security measures against unknown threats have long term benefits for both individuals and organizations and that you need to take it seriously in order to avoid losing sensitive data.
Once again, we emphasize the fact that the best protection against these criminal attacks remains proactive security mixed with basic cyber security education.