Cybersecurity researchers have found out a scenario of “compelled authentication” that could be exploited to leak a Windows user’s NT LAN Manager (NTLM) tokens by tricking a sufferer into opening a specially crafted Microsoft Accessibility file.
The attack usually takes edge of a respectable characteristic in the databases administration system answer that allows buyers to url to exterior info sources, these as a remote SQL Server table.
“This aspect can be abused by attackers to immediately leak the Windows user’s NTLM tokens to any attacker-controlled server, by means of any TCP port, such as port 80,” Examine Point security researcher Haifei Li reported. “The attack can be introduced as extensive as the target opens an .accdb or .mdb file. In truth, any more-widespread Workplace file kind (this kind of as a .rtf ) can work as effectively.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
NTLM, an authentication protocol introduced by Microsoft in 1993, is a challenge-reaction protocol that is employed to authenticate buyers for the duration of indication-in. About the many years, it has been observed to be vulnerable to brute-drive, pass-the-hash, and relay attacks.
The hottest attack, in a nutshell, abuses the linked table element in Entry to leak the NTLM hashes to an actor-managed server by embedding an .accdb file with a distant SQL Server databases website link within of an MS Word doc working with a mechanism referred to as Object Linking and Embedding (OLE).
“An attacker can established up a server that they management, listening on port 80, and put its IP address in the over ‘server alias’ discipline,” Li defined. “Then they can send out the database file, which include the linked desk, to the victim.”
Need to the sufferer open the file and click the connected table, the target shopper contacts the attacker-controlled server for authentication, enabling the latter to pull off a relay attack by launching an authentication approach with a targeted NTLM server in the same firm.
The rogue server then gets the challenge, passes it on to the target, and receives a valid response, which is ultimately transmitted to the sender that difficulties the CV as part of the attacker-managed CV↔ SA authentication process receives legitimate reaction and then passes that reaction to the NTLM server.
Even though Microsoft has because launched mitigations for the challenge in the Office environment/Obtain version (Current Channel, edition 2306, develop 16529.20182) next dependable disclosure in January 2023, 0patch has unveiled unofficial fixes for Business 2010, Workplace 2013, Business office 2016, Office environment 2019, and Place of work 365.
The advancement also arrives as Microsoft announced plans to discontinue NTLM in Windows 11 in favor of Kerberos for enhanced security.
Discovered this article intriguing? Comply with us on Twitter and LinkedIn to go through extra exclusive written content we submit.
Some areas of this post are sourced from:
thehackernews.com
N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection