Tech Giant Microsoft has acknowledged that it patched a previously known ShadowCoerce vulnerability, which could allow attackers to target Windows servers in NTLM relay attacks.
What is NTLM relay attack?
NTLM relay attack method can be used by threat actors to force unpatched servers to authenticate against servers under the attacker's control which leads to a takeover of the victim domain.
The Microsoft Domain Takeover
- These files are also vulnerable to NTLM relay attacks, which allow threat actors to coerce a domain controller into authenticating against a malicious NTLM relay they control.
- The malicious server then forwards the authentication request to the AD CS of a domain in order to obtain a Kerberos TGT.
- The attacker can use TGT to impersonate any network device, including a Windows domain controller.
- They will gain elevated privileges after impersonating a domain controller, which they can use to take over the Windows domain.
It’s patched
A Microsoft spokesperson told Bleepingcomputer that no public announcement was made but ShadowCoerce was mitigated with CVE-2022-30154. The malware was silently patched while researching it with the 0Patch team. Microsoft also patched a zero-day Windows LSA spoofing bug in May. Tracked as CVE-2022-26925, it later got confirmed to be a PetitPotam variant.
How To Stay protected?
According to security experts, following Microsoft's advisory on preventing the PetitPotam NTLM relay attack is the best approach to defend against such attacks. Disabling web services on Active Directory Certificate Services (AD CS) servers, turning off NTLM on domain controllers, and turning on Extended Protection for Authentication and signature features to safeguard windows credentials are all suggested mitigations.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e198_shutterstock_442094683.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7c65_shutterstock_528356506.jpg)
