• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain

You are here: Home / General Cyber Security News / New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain
June 21, 2022

A new form of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Dispersed File Process (DFS): Namespace Administration Protocol (MS-DFSNM) to seize command of a area.

“Spooler support disabled, RPC filters installed to avoid PetitPotam and File Server VSS Agent Provider not installed but you nevertheless want to relay [Domain Controller authentication to [Active Directory Certificate Services]? Really don’t worry MS-DFSNM have (sic) your again,” security researcher Filip Dragovic said in a tweet.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


CyberSecurity

MS-DFSNM provides a distant procedure phone (RPC) interface for administering dispersed file process configurations.

The NTLM (NT Lan Manager) relay attack is a properly-acknowledged method that exploits the obstacle-reaction system. It will allow malicious functions to sit involving shoppers and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources, correctly gaining an first foothold in Active Directory environments.

The discovery of DFSCoerce follows a related strategy known as PetitPotam that abuses Microsoft’s Encrypting File Method Distant Protocol (MS-EFSRPC) to coerce

Windows servers, which include domain controllers, into authenticating with a relay beneath an attacker’s command, allowing threat actors most likely choose above an full domain.

CyberSecurity

“By relaying an NTLM authentication request from a domain controller to the Certification Authority Web Enrollment or the Certificate Enrollment Web Support on an Ad CS method, an attacker can attain a certification that can be utilised to get a Ticket Granting Ticket (TGT) from the domain controller,” the CERT Coordination Heart (CERT/CC) mentioned, detailing the attack chain.

To mitigate NTLM relay attacks, Microsoft recommends enabling protections like Prolonged Protection for Authentication (EPA), SMB signing, and turning off HTTP on Advert CS servers.

Located this short article appealing? Comply with THN on Fb, Twitter  and LinkedIn to read extra exclusive information we submit.


Some components of this short article are sourced from:
thehackernews.com

Previous Post: «Cyber Security News Former Amazon Worker Convicted of Capital One Data Breach
Next Post: US Bank Data Breach Impacts Over 1.5 Million Customers Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • US Bank Data Breach Impacts Over 1.5 Million Customers
  • New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain
  • Former Amazon Worker Convicted of Capital One Data Breach
  • Google Chrome Extensions Could Be Used to Track Users Online
  • BRATA Android Malware Group Now Classified As Advanced Persistent Threat
  • Do You Have Ransomware Insurance? Look at the Fine Print
  • Governance Gap Raises AI Security Concerns
  • QNAP Customers Hit by Double Ransomware Blitz
  • Investigators Disrupt Giant RSocks Botnet
  • Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild

Copyright © TheCyberSecurity.News, All Rights Reserved.