controlgap.com

Despite the release of Kerberos more than 20 years ago, many enterprises today have not transitioned away from using NTLM authentication in their enterprise IT environments. As attackers continuously refine their tools and tactics, finding new and sophisticated ways to exploit NTLM's inherent vulnerabilities, the risks associated with maintaining NTLM are becoming increasingly prominent. This article aims to demonstrate some of the most popular and contemporary attacks exploiting NTLM, provide insight as to why Microsoft is working on disabling NTLM by default during the Windows 11 lifecycle, and underline the urgency for transitioning away from this outdated protocol. Keeping NTLM authentication enabled can lead to rapid (less than one minute) compromises of entire Active Directory domains.

Background

Over the past holiday weekend, a tweet from Tokyo-based security researcher “nao_sec” first identified an interesting upload to antivirus platform VirusTotal[1]. The Microsoft Word (.docx) file, uploaded from an IP address originating in Belarus, was found to contain a novel mechanism for obtaining PowerShell command execution through Office documents via the Microsoft Support Diagnostic Tool (MS-MSDT) troubleshooting feature. This original malware sample is currently being analyzed by members of the cybersecurity community, including Kevin Beaumont, who posted his analysis on Sunday, May 29^th and named the sample “Follina”[2].

Welcome to This Week’s [in]Security. PCI and payments: PCI updates: Brazil. Skimmers. Payments: New breaches: Nuclear documents, Brexit, GM, Colleges, Toronto. Follow-ups & Fall-out: MGM Resorts, GitHub, NPM. Privacy: DuckDuck, Facial tech, data safety. Laws & Regs - Canada: C-11. US: Disclosure, Twitter, Content moderation, Zuckerberg, Trolls. World: Clearview AI, Privacy Shield, Borderless data, Platform liability. Defense - Tools & Techniques, Vulnerabilities, Advisories: CISA. Zerodays, Patching: Vmware, Zoom. Other: AWS key theft or research? Containers, Forging Australian digital IDs, Phishing infosec. Vulnerability research: Controlling touchscreens remotely, Pre-hijacking accounts, manipulating ML. Crypto-research: RSA, AES. Cybercrime: Trends: Crime & Enforcement: Nation States and mercenaries. Other. Other Risks: General: Health, Safety, Environment, Disinformation, Russia v. Ukraine. Innovation and more.