Jan 29, 2024NewsroomVulnerability / NTML Security

A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file.

The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was addressed by the tech giant as part of its Patch Tuesday updates for December 2023.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft said in an advisory released last month.

In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.”

Put differently, the adversary would have to convince users to click a link, either embedded in a phishing email or sent via an instant message, and then deceive them into opening the file in question.

CVE-2023-35636 is rooted in the calendar-sharing function in the Outlook email application, wherein a malicious email message is created by inserting two headers “Content-Class” and “x-sharing-config-url” with crafted values in order to expose a victim’s NTLM hash during authentication.

Varonis security researcher Dolev Taler, who has been credited with discovering and reporting the bug, said NTLM hashes could be leaked by leveraging Windows Performance Analyzer (WPA) and Windows File Explorer. These two attack methods, however, remain unpatched.

“What makes this interesting is that WPA attempts to authenticate using NTLM v2 over the open web,” Taler said.

“Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.”

The disclosure comes as Check Point revealed a case of “forced authentication” that could be weaponized to leak a Windows user’s NTLM tokens by tricking a victim into opening a rogue Microsoft Access file.

Microsoft, in October 2023, announced plans to discontinue NTLM in Windows 11 in favor of Kerberos for improved security owing to the fact that it does not support cryptographic methods and is susceptible to relay attacks.

Dec 18, 2023NewsroomSoftware Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations.

In an alert published last week, the agency called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S.

Default passwords refer to factory default software configurations for embedded systems, devices, and appliances that are typically publicly documented and identical among all systems within a vendor’s product line.

As a result, threat actors could scan for internet-exposed endpoints using tools like Shodan and attempt to breach them through default passwords, often gaining root or administrative privileges to perform post-exploitation actions depending on the type of the system.

“Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary,” MITRE notes.

Earlier this month, CISA revealed that IRGC-affiliated cyber actors using the persona Cyber Av3ngers are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are publicly exposed to the internet through the use of default passwords (“1111“).

“In these attacks, the default password was widely known and publicized on open forums where threat actors are known to mine intelligence for use in breaching U.S. systems,” the agency added.

As mitigation measures, manufacturers are being urged to follow secure by design principles and provide unique setup passwords with the product, or alternatively disable such passwords after a preset time period and require users to enable phishing-resistant multi-factor authentication (MFA) methods.

The agency further advised vendors to conduct field tests to determine how their customers are deploying the products within their environments and if they involve the use of any unsafe mechanisms.

“Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product,” CISA noted in its guidance.

“It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one.”

The disclosure comes as the Israel National Cyber Directorate (INCD) attributed a Lebanese threat actor with connections to the Iranian Ministry of Intelligence for orchestrating cyber attacks targeting critical infrastructure in the country amidst its ongoing war with Hamas since October 2023.

The attacks, which involve the exploitation of known security flaws (e.g., CVE-2018-13379) to obtain sensitive information and deploy destructive malware, have been tied to an attack group named Plaid Rain (formerly Polonium).

The development also follows the release of a new advisory from CISA that outlines security countermeasures for healthcare and critical infrastructure entities to fortify their networks against potential malicious activity and reduce the likelihood of domain compromise –

• Enforce strong passwords and phishing-resistant MFA
• Ensure that only ports, protocols, and services with validated business needs are running on each system
• Configure Service accounts with only the permissions necessary for the services they operate
• Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems
• Discontinue reuse or sharing of administrative credentials among user/administrative accounts
• Mandate consistent patch management
• Implement network segregation controls
• Evaluate the use of unsupported hardware and software and discontinue where possible
• Encrypt personally identifiable information (PII) and other sensitive data

On a related note, the U.S. National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA published a list of recommended practices that organizations can adopt in order to harden the software supply chain and improve the safety of their open-source software management processes.

“Organizations that do not follow a consistent and secure-by-design management practice for the open-source software they utilize are more likely to become vulnerable to known exploits in open-source packages and encounter more difficulty when reacting to an incident,” said Aeva Black, open-source software security lead at CISA.