UPDATED MAY 2024: CISA has released an advisory involving the threat actors involved in this incident. For more information, please refer to our follow-up threat briefing.
What Happened?
Researchers from the data security firm Varonis have identified three Microsoft software vulnerabilities that threat actors can exploit to exfiltrate NTLM v2 hashes from their victims. Threat actors can use these tactics against Microsoft Outlook users, in Windows File Explorer, and Windows Performance Analyzer (WPA).
While Microsoft patched one of these vulnerabilities in December 2023, Microsoft has not issued updates to address the other two, classifying them as “moderate vulnerabilities.”
Key Takeaways
NTLM v2 is a Windows cryptographic protocol that authenticates users to remote servers, and securely transports credentials using password hashing. Because this protocol does not add a random value to the password to prevent attacker reuse, a threat actor can authenticate without knowing a password if they have the hash value that the server used to encrypt the password.
While the latest version of NTLM is more secure than the original version, Varonis Labs researchers warn that the protocol is “still vulnerable to offline brute-force and authentication relay attacks.”
Microsoft Outlook Vulnerability (CVE-2023-35636)
Threat actors exploiting this vulnerability take advantage of Microsoft Outlook’s calendar sharing feature. By adding two headers to an calendar invitation email that indicate the email contains sharable content and directs the .ICS file path to an attacker’s environment, a threat actor can intercept password hashes.
If the victim clicks “Open this iCal” in the email, their computer will expose their NTLM hash during authentication.
Windows File Explorer Exploits
The researchers also discovered two methods that cyber criminals can use to exploit a Windows File Manager process named explorer.exe.
By using Microsoft’s “subquery” parameter, attackers can create a malicious link, send it through a phishing email, malicious ad, or directly through social media, and obtain a user’s password hash. If an attacker successfully cracks a hash and gets a credential, they can use it to log into your organization’s environments as the compromised user. However, security analysts can detect threat actors using this parameter using indicators of compromise from CVE-2023-23397.
Attackers can also use Microsoft’s “crumb” parameter, follow the exact same process, and evade detection through CVE-2023-23397’s IOCs.
WPA and URI Handler Exploits
In this scenario, the threat actor uses a phishing email designed to direct victims to a malicious website. This malicious site redirects the victim to a payload, prompting the user to click a button named “Open WPA.” When the victim clicks this button, the attacker gets their credentials, hashed in NTLM v2.
The threat actor’s payload is made up of an URI handler, which directs Windows to open the malicious link in WPA, the attacker’s IP address, for the victim’s device to access, and a third command that instructs the victim’s device to access a specific file.
Why This Matters to MSPs
The risk this threat poses to a user’s hashed passwords emphasizes the need to regularly rotate sensitive credentials and avoid reusing passwords across accounts. By implementing a moving target defense approach, MSPs can reduce the level of risk they face in the event an attacker successfully gets their hands on a password.
Next Steps
CyberQP’s security experts recommend that concerned MSPs and end users take the following actions to mitigate their risk, based on available research:
- Turn on SMB signing, a security feature designed to prevent tampering and man-in-the-middle (MITM) attacks with a digital signature.
- If you’re a Windows 11 user, you can block outgoing NTLM v2 authentication on the network and applicative levels.
- Use CVE-2023-23397’s indicators of compromise to detect potential attempts to exfiltrate password hashes.
- Researchers also recommend that users force Kerberos authentication, if possible.
- Deploy a privileged access management solution that automates password rotations for privileged accounts, to implement a moving target defense for your privileged accounts, and mitigate the risk associated with threat actors getting access to old or shared credentials.
- MSPs can also reduce their attack surface with Just-in-Time accounts that only grant privileged access for the amount of time a user needs it. Solutions like these also enable them to meet compliance and cyber insurance best practices by achieving zero standing privilege.
Thanks for reading MSP Incident Insights. If you’d like to sign up to receive these threat briefings in your inbox, you can register for our email newsletter.