Microsoft on Wednesday acknowledged that a newly disclosed critical security flaw in Trade Server has been actively exploited in the wild, a working day immediately after it unveiled fixes for the vulnerability as component of its Patch Tuesday updates.
Tracked as CVE-2024-21410 (CVSS rating: 9.8), the issue has been described as a situation of privilege escalation impacting the Exchange Server.
“An attacker could goal an NTLM client these as Outlook with an NTLM credentials-leaking sort vulnerability,” the business reported in an advisory released this week.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“The leaked qualifications can then be relayed from the Exchange server to acquire privileges as the sufferer consumer and to complete functions on the Trade server on the victim’s behalf.”
Successful exploitation of the flaw could permit an attacker to relay a user’s leaked Net-NTLMv2 hash versus a prone Trade Server and authenticate as the user, Redmond included.
The tech large, in an update to its bulletin, revised its Exploitability Evaluation to “Exploitation Detected,” noting that it has now enabled Extended Defense for Authentication (EPA) by default with the Trade Server 2019 Cumulative Update 14 (CU14) update.
Facts about the mother nature of the exploitation and the identification of the menace actors that might be abusing the flaw are at the moment mysterious. Nevertheless, Russian point out-affiliated hacking crews this sort of as APT28 (aka Forest Blizzard) have a background of exploiting flaws in Microsoft Outlook to stage NTLM relay attacks.
Previously this month, Development Micro implicated the adversary to NTLM relay attacks targeting higher-worth entities at minimum due to the fact April 2022. The intrusions focused businesses working with foreign affairs, strength, defense, and transportation, as perfectly as those people included with labor, social welfare, finance, parenthood, and local town councils.
CVE-2024-21410 adds to two other Windows flaws – CVE-2024-21351 (CVSS score: 7.6) and CVE-2024-21412 (CVSS rating: 8.1) – that have been patched by Microsoft this week and actively weaponized in true-earth attacks.
The exploitation of CVE-2024-21412, a bug that permits a bypass of Windows SmartScreen protections, has been attributed to an sophisticated persistent risk dubbed H2o Hydra (aka DarkCasino), which has previously leveraged zero-times in WinRAR to deploy the DarkMe trojan.
“The group applied internet shortcuts disguised as a JPEG picture that, when picked by the person, enables the risk actor to exploit CVE-2024-21412,” Pattern Micro mentioned. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as part of its attack chain.”
Microsoft’s Patch Tuesday update also addresses CVE-2024-21413, one more critical shortcoming affecting the Outlook email computer software that could consequence in distant code execution by trivially circumventing security steps this kind of as Secured Look at.
Codenamed MonikerLink by Verify Place, the issue “makes it possible for for a large and really serious effects, varying from leaking of local NTLM credential information to arbitrary code execution.”
The vulnerability stems from the incorrect parsing of “file://” hyperlinks by including an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///\10.10.111.111testtest.rtf!a thing”).
“The bug not only permits the leaking of the nearby NTLM details, but it may perhaps also enable distant code execution and a lot more as an attack vector,” the cybersecurity business said. “It could also bypass the Workplace Safeguarded See when it is used as an attack vector to goal other Office environment apps.”
Located this posting interesting? Comply with us on Twitter and LinkedIn to browse much more exceptional content material we write-up.
Some pieces of this report are sourced from:
thehackernews.com