Over the past few months, the Preempt research team discovered and reported two Microsoft NT LAN Manager (NTLM) vulnerabilities. These vulnerabilities have a common theme around two different protocols handling NTLM improperly. These issues are particularly significant as they can potentially allow an attacker to create new domain administrator accounts even when best-practice controls such as LDAP server signing and RDP restricted admin mode are enabled.
NotPetya, a recent malware, masquerading as the known Petya ransomware started wreaking havoc at a world scale last week. Initially, it looked like another wave in the malware storm that started with Shadow Brokers’ publication of EternalBlue and other zero-day vulnerabilities in Windows OS. And, in fact, NotPetya used EternalBlue as one of the lateral movement methods in its arsenal. But, apparently, the developers of NotPetya wanted to hit some high-value targets and the risk that these networks had already been fully patched would have ruined their attack.
Recently, the new draft of NIST guidelines was released and proposed a shift in password strategy from periodic changes with complexity requirements to use of a long "memorized secret.” Many organizations have forced regular password changes and password complexity but this has failed them.
It was recently published that Shadow Brokers, the group behind the Equation Group leak, are selling a new set of tools that have the ability to tamper with Windows event logs. What stood out to me is the inefficiency of security solutions that rely solely on logs for detecting threats. Implementing a security analytics or a UEBA product that relies on logs for detection of advanced cyber threats has advantages, but it is also risky.
In a previous blog, we discussed the prevalence of weak passwords in the Enterprise. The fact of the matter is, once an attacker gains access to password challenges and exfiltrates them for offline cracking, they can crack them in most cases.
NTLM (NT LAN Manager) is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between Microsoft Windows machines and servers. Even though it has not been the default for Windows deployments for more than 15 years, it is still very much in use and I have not yet seen a network where it has been completely abandoned. In fact it also supported by the latest version of Active Directory.
In recent years, the use of smart card widely increased as a secure form of authentication for a wide range of applications, ranging from mobile networks requiring a SIM card in mobile devices to credit card vendors making smart cards, the de facto standard for credit cards.