In a recent security disclosure, Microsoft Outlook was found to have a vulnerability (CVE-2023-35636) that allowed attackers to steal users' NTLM v2 hashes, a widely used cryptographic protocol used for user authentication in Microsoft Windows. Even though the vulnerability has been patched, two additional unpatched vulnerabilities have been discovered, highlighting the ongoing threat of attackers stealing NTLM hashes. This blog will delve into the dangers posed by stolen NTLM hashes and provide tips on how organizations can protect themselves.
Understanding NTLM Hashes
NTLM v2 hashes are used by Microsoft Windows to authenticate users to remote servers using password hashes. Attackers can exploit compromised NTLM v2 hashes in two ways: authentication relay attacks or offline brute-force attacks. In authentication relay attacks, the attacker intercepts NTLM v2 authentication requests and forwards them to a different server, gaining access to sensitive enterprise systems and resources. Offline brute-force attacks involve the attacker using the stolen NTLM hashes to attempt to reveal the original passwords.
Methods Used by Attackers
Researchers from Varonis Threat Labs have discovered three methods that attackers can use to steal NTLM v2 hashes: exploiting vulnerabilities in Microsoft Outlook, using URI handlers and Windows Performance Analyzer, and utilizing Windows File Explorer. They have provided proof-of-concept exploits for all three attack paths, highlighting the ease with which an unsuspecting victim can fall prey to these attacks. For example, by simply clicking on a link or button in an email invite crafted by the attacker, the victim's machine attempts to retrieve a configuration file, exposing the NTLM hash during authentication.
Preventing NTLM Hash Theft
While the Outlook vulnerability has been fixed by Microsoft, the two remaining vulnerabilities are still unpatched, leaving systems vulnerable to attackers attempting to steal NTLM hashes. To protect against these attacks, organizations can take the following measures:
01. Enable SMB signing: By switching on Server Message Block (SMB) signing, organizations can protect against unauthorized modifications to SMB packets, enhancing the integrity and security of communication.
02. Block outgoing NTLM v2 authentication: Organizations can mitigate the risk of NTLM hash theft by blocking outbound NTLM v2 authentication, thereby invalidating attackers' attempts to relay authentication requests.
03. Use Kerberos authentication: Organizations should prioritize Kerberos authentication whenever possible and block NTLM v2 on both the network and application levels. Kerberos offers stronger security and is less susceptible to hash theft.
Microsoft's Future Plans
Microsoft has recognized the inherent security risks associated with NTLM and is making efforts to reduce its usage. They have outlined plans to disable NTLM altogether in Windows 11 as part of their ongoing commitment to improving security.
The theft of NTLM v2 hashes poses a serious security threat, enabling attackers to gain unauthorized access to sensitive enterprise systems and resources. Although Microsoft has patched one of the vulnerabilities, organizations must remain vigilant and take necessary precautions to protect against the theft of NTLM hashes. By implementing measures such as enabling SMB signing, blocking outgoing NTLM v2 authentication, and prioritizing Kerberos authentication, organizations can significantly reduce their vulnerability to NTLM hash theft. With ongoing efforts by Microsoft to dispense with NTLM in future versions of Windows, the security landscape is gradually becoming more robust against these types of attacks.