This patch deals with a dangerous attack that could help an attacker to steal Windows NTLM password hashes remotely and freeze the vulnerable machine.
It’s worth noting that the issues related to Microsoft NTLM architecture are widely known. However, such an exploitation attempt demands user intervention or traffic interception. In the latest attack vector, no user interaction is required, and the task is completed remotely.
To carry out this Windows NTLM attack, the notorious actor needs to put a malicious SCF file in a publicly shared Windows folder. Having a public folder with no password protection is common in almost all Windows environments.
Once it’s done, a mysterious bug helps the attacker collect target’s NTLM password hash and upload it the pre-configured server. There are many free software available which could be later used to crack the hashes and gain access to the computer.
This Windows NTLM attack was exposed by Juan Diego, a Columbia-based security researcher. He reported the issue to Microsoft long back in April, and it got patched after 148 days in the form of security advisory ADV170014.
To patch this flaw, Microsoft has changed two registry keys to disable NTLM on the system. However, as these keys are available only on Windows 10 and Windows Server 2016, these are the only versions that are being patched.
It should also be highlighted that the cause of the hack still remains unexplained. Talking to Bleeping Computer, Diego said that Microsoft has been very secretive about the underlying trigger.
The users are advised to apply this patch as it’s expected to fix other pass-the-hash exploits as well. Also, don’t share folders without passwords, it’s not worth the risk.
Did you find this story on Windows NTLM attack and exploitation helpful? Don’t forget to share your views with us.