December 9, 2024 at 05:44PM
Microsoft issued guidance to mitigate NTLM relay attacks following the discovery of a zero-day bug affecting all Windows versions, enabling credential theft through malicious files. The bug’s fix is anticipated in April. Organizations are advised to enable Extended Protection for Authentication (EPA) to strengthen defenses against these vulnerabilities.
### Meeting Takeaways:
1. **New Microsoft Guidance**:
– Microsoft has released updated guidance on mitigating NTLM relay attacks following a recently discovered zero-day vulnerability affecting all supported Windows versions from Windows 7 to Windows 11.
2. **Zero-Day Vulnerability Details**:
– The vulnerability allows attackers to capture NTLM credentials by having a user view a malicious file through Windows Explorer.
– Specific actions like opening a shared folder or USB with the malicious file can lead to credential compromise.
– Microsoft has assessed the severity of this vulnerability as “Important” and plans to release a fix by April.
3. **Historical Context**:
– This is the second reported NTLM credential leak zero-day by ACROS Security to Microsoft since October; the first involved a Windows Themes spoofing issue.
4. **NTLM Protocol Concerns**:
– NTLM is a legacy authentication protocol that poses security risks due to its vulnerabilities, which attackers exploit to intercept authentication requests.
5. **Mitigation Strategies**:
– Microsoft emphasizes enabling Extended Protection for Authentication (EPA) by default for LDAP, AD CS, and Exchange Server to protect against NTLM-related threats.
– Vulnerable services and recent NTLM coercion-related vulnerabilities have been highlighted.
6. **Recommendations**:
– Microsoft suggests organizations follow its guidance for NTLM mitigation while ACROS Security CEO Mitja Kolsek advises considering alternative solutions like 0patch for unsupported software.
7. **Ongoing Monitoring**:
– Both Microsoft and ACROS Security will continue to assess and respond to the vulnerabilities as new information becomes available.
### Action Items:
– Review and implement Microsoft’s updated guidance on NTLM mitigation.
– Monitor for the upcoming patch release scheduled for April.
– Explore the use of 0patch for additional protection in legacy systems.