Mirai Botnet aka Katana – Active IOCs
December 7, 2024Stealc Information Stealer Malware – Active IOCs
December 8, 2024Mirai Botnet aka Katana – Active IOCs
December 7, 2024Stealc Information Stealer Malware – Active IOCs
December 8, 2024Severity
High
Analysis Summary
A new zero-day vulnerability has been discovered that enables attackers to capture NTLM credentials simply by tricking a target into viewing a malicious file in Windows Explorer. The flaw, uncovered by researchers who provide unofficial support for end-of-life Windows versions, has been reported to Microsoft, but no official fix has been released.
This vulnerability impacts all Windows versions, from Windows 7 and Server 2008 R2 to Windows 11 24H2 and Server 2022. Researchers have withheld technical details to prevent active exploitation but explained that the attack can be triggered by merely viewing a malicious file in File Explorer, without the need to open it. For instance, a user could unknowingly activate the exploit by opening a shared folder, a USB disk, or the Downloads folder containing the malicious file.
The vulnerability forces an outbound NTLM connection to a remote share, causing Windows to send NTLM hashes of the logged-in user. These hashes can be cracked, enabling attackers to obtain login names and plaintext passwords. Despite Microsoft's announcement last year to phase out NTLM in Windows 11, this protocol remains a significant target.
Researchers have offered a free micropatch for the latest NTLM zero-day, which can be applied automatically via their platform. Alternatively, users can disable NTLM authentication through Group Policy or registry modifications. This is the third zero-day reported by researchers that Microsoft has not addressed promptly, with previous vulnerabilities involving Mark of the Web (MotW) bypass and Windows Themes also remaining unfixed.
Microsoft has stated that it is investigating the issue and will take necessary action to protect customers. Until an official fix is available, users are advised to apply the unofficial patch or implement the suggested mitigation measures.
Impact
- Unauthorized Access
- Credential Theft
- Data Manipulation
Remediation
- Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
- Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.