Yaron Zinar

Find me on:

Recent Posts

The Security Risks of NTLM: Proceed with Caution

Posted by Yaron Zinar on Oct 18, 2018 10:50:00 AM

NTLM (NT LAN Manager) is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between Microsoft Windows machines and servers. Even though it has not been the default for Windows deployments for more than 17 years, it is still very much in use, and I have not yet seen a network where it has been completely abandoned. In fact, it also supported by the latest version of Active Directory.

Read More

Topics: NTLM, Active Directory, Risk, kerberos

Is Your PAM Solution Enough to Block Credential Theft?

Posted by Yaron Zinar on Sep 20, 2018 1:48:15 PM

I was recently working with a large US-based company that suffered from repeated breaches to their corporate network. After we deployed the Preempt Platform and started monitoring all traffic, we quickly found several hacked privileged accounts that attackers were using. The interesting thing was that all privileged accounts were protected with password vaults and their passwords were rotated every 24 hours. In that particular case, the attackers compromised a web gateway that some admins logged into each day using a plaintext password. Using this weakness, attackers easily defeated the Privileged Access Management (PAM) solution, they simply had to harvest the password each day and do whatever they wanted with it.

Read More

Disrupting the Cyber Kill Chain: How to Contain Use of Tools and Protocols

Posted by Yaron Zinar on Aug 17, 2018 1:59:37 PM

Preventing lateral movement and unauthorized domain access due to the misuse of network credentials - especially due to reconnaissance tools looking for weak spots - is a challenge plaguing many enterprises. In fact, it’s a decades-old security problem. A major issue for enterprises has been how to detect and contain the use of reconnaissance tools like BloodHound, authentication protocols such as NTLM, DCE/RPC, Kerberos and Lightweight Directory Access Protocol (LDAP), as well as other IT tools like PsExec and Powershell that are being misused or exploited by attackers.

Read More

Security Advisory: Critical Vulnerability in CredSSP Allows Remote Code Execution on Servers Through MS-RDP (Video)

Posted by Yaron Zinar on Mar 13, 2018 10:03:36 AM

In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a vulnerability discovered by Preempt researchers. The vulnerability consists of a logical flaw in Credential Security Support Provider protocol (CredSSP) which is used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials to target servers. The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network. The vulnerability, in many real-world scenarios where victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controller with malicious software. No attacks have been detected in the wild by Preempt.

Read More

Topics: kerberos, Threat Detection, Security Advisory, Microsoft, CredSSP, Hacking

Lessons from Black Hat USA 2017: Defense in Depth

Posted by Yaron Zinar on Aug 18, 2017 4:19:49 PM

Last month I attended Black Hat USA 2017 conference. It did not disappoint. Overall the event and packed agenda was well worth it. I enjoyed the vibe, the networking, the briefings, the business hall and the wonderful keynote by Alex Stamos (I recommend you follow Eran’s post who shared some of Alex’s deep insights).  Overall the event covered a broad array of bleeding edge infosec topics with sessions on research, zero day exploits, open source tools, and other security risks and trends.  

Read More

Topics: big data, Lateral Movement, Black Hat

New LDAP & RDP Relay Vulnerabilities in NTLM

Posted by Yaron Zinar on Jul 11, 2017 10:01:54 AM

Over the past few months, the Preempt research team discovered and reported two Microsoft NT LAN Manager (NTLM) vulnerabilities. These vulnerabilities have a common theme around two different protocols handling NTLM improperly. These issues are particularly significant as they can potentially allow an attacker to create new domain administrator accounts even when best-practice controls such as LDAP server signing and RDP restricted admin mode are enabled.

Read More

Topics: NTLM, Domain Controller, Threat Detection, Hacking, Microsoft, Security Advisory

How to Stop NotPetya and Similar Ransomware from Spreading in the Network

Posted by Yaron Zinar on Jul 5, 2017 2:06:01 PM

NotPetya, a recent malware, masquerading as the known Petya ransomware started wreaking havoc at a world scale last week. Initially, it looked like another wave in the malware storm that started with Shadow Brokers’ publication of EternalBlue and other zero-day vulnerabilities in Windows OS. And, in fact, NotPetya used EternalBlue as one of the lateral movement methods in its arsenal. But, apparently, the developers of NotPetya wanted to hit some high-value targets and the risk that these networks had already been fully patched would have ruined their attack.

Read More

Topics: Ransomware, Credential Compromise, ueba, Adaptive Response

1 in 5 Enterprise Passwords Can Be Easily Compromised

Posted by Yaron Zinar on Jun 14, 2017 5:00:00 AM

Recently, the new draft of NIST guidelines was released and proposed a shift in password strategy from periodic changes with complexity requirements to use of a long "memorized secret.” Many organizations have forced regular password changes and password complexity but this has failed them.

Read More

Topics: Passwords, CISO

Real-time vs After the Fact: Pitfalls of Log-based Behavioral Threat Detection

Posted by Yaron Zinar on Apr 13, 2017 7:52:35 AM

It was recently published that Shadow Brokers, the group behind the Equation Group leak, are selling a new set of tools that have the ability to tamper with Windows event logs. What stood out to me is the inefficiency of security solutions that rely solely on logs for detecting threats. Implementing a security analytics or a UEBA product that relies on logs for detection of advanced cyber threats has advantages, but it is also risky.

Read More

Topics: Threat Detection, APT, User and Entity Behavior Analytics

Kerberos, NTLM and SAM: 3 Ways Attackers Can Crack Passwords

Posted by Yaron Zinar on Mar 23, 2017 9:25:12 AM

In a previous blog, we discussed the prevalence of weak passwords in the Enterprise. The fact of the matter is, once an attacker gains access to password challenges and exfiltrates them for offline cracking, they can crack them in most cases.

Read More

Topics: Passwords, NTLM, kerberos, SAM