Cyber Security News — Past 24 hours | 26.07.2021
New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains
A newly uncovered security flaw in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain.
Stack Overflow Teams
Specifically, the attack enables a domain controller to authenticate against a remote NTLM under a bad actor’s control using the MS-EFSRPC interface and share its authentication information. This is done by connecting to LSARPC, resulting in a scenario where the target server connects to an arbitrary server and performs NTLM authentication. “An attacker can target a Domain Controller to send its credentials by using the MS-EFSRPC protocol and then relaying the DC NTLM credentials to the Active Directory Certificate Services AD CS Web Enrollment pages to enroll a DC certificate,” TRUESEC’s Hasain Alshakarti said.
Prevent Data Breaches
“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication or signing features such as SMB signing,” Microsoft noted. To safeguard against this line of attack, the Windows maker is recommending that customers disable NTLM authentication on the domain controller.
Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems
An infamous cross-platform crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by setting its sights on older vulnerabilities, while simultaneously latching on to a variety of spreading mechanisms to maximize the effectiveness of its campaigns.
Stack Overflow Teams
The malware is notorious for its ability to propagate rapidly across an infected network to facilitate information theft and turn the machines into cryptocurrency mining bots by diverting their computing resources to illegally mine cryptocurrency. Notably, LemonDuck acts as a loader for follow-on attacks that involve credential theft and the installation of next-stage implants that could act as a gateway to a variety of malicious threats, including ransomware.
Prevent Ransomware Attacks
Attacks incorporating LemonDuck malware have been primarily focused on the manufacturing and IoT sectors, with the U.S, Russia, China, Germany, the U.K., India, Korea, Canada, France, and Vietnam witnessing the most encounters.
Additionally, Microsoft outed the operations of a second entity that relies on LemonDuck for achieving «separate goals», which the company codenamed «LemonCat.» The attack infrastructure associated with the «Cat» variant is said to have emerged in January 2021, ultimately leading to its use in attacks exploiting vulnerabilities targeting Microsoft Exchange Server.
How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability
Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.
As we reported last week, the vulnerability — SeriousSAM — allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash attack.
Attackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager and Registry, and ultimately run arbitrary code with SYSTEM privileges.
Delete all users from the built-in users’ group — this is a good place to start from, but won’t protect you if Administrator credentials are stolen.
Restrict SAM files and Registry permissions — allow access only for Administrators.
Despite the fact that the last recommendation offers a good solution for SeriousSAM, it may negatively impact your production if not properly tested before it is pushed.
The following are Dvir’s recommendations for mitigating without causing downtime
Set up a test environment that will simulate your production environment. Simulate all possible dependencies of your network as accurately as you can.
Analyze the impact of this rule on your test environment.
Here is what you will gain from a Hardening Automation Tool
Automatically generate the most accurate possible impact analysis report — hardening automation tools ‘learns’ your production dependencies and report to you the potential impact of each policy rule.
BIMI: A Visual Take on Email Authentication and Security
There is a saying that goes something like, «Do not judge a book by its cover.» Yet, we all know we can not help but do just that — especially when it comes to online security.
BIMI is a standard that allows organizations to display their unique brand logos alongside DMARC-compliant emails by changing certain DNS records. BIMI centralizes logo display by allowing domain owners to use a single, standardized image. Eliminating the need for proprietary systems for logo display and management also eliminates the frustration of brand proliferation. It improves the user experience across the email inbox.
The highlight of 2021: Gmail extends support to BIMI
Previously, BIMI was supported by Verizon Media, including Yahoo!, AOL, and Netscape, while Fastmail and Gmail were still working on their pilot program. In July 2021, the makers of BIMI made the long-awaited announcement that Google was officially rolling out BIMI to all Gmail inboxes.
Verified Mark Certificates is a solution that helps businesses display verified brand logos in the clients’ sender field.
A BIMI record is essentially a DNS TXT record that needs to be published to your domain’s DNS to configure the protocol.
Email Authentication and Security
Hosted BIMI services that let you configure and run the protocol effortlessly, as PowerBIMI handles all the complexity in the background.
Protocol implementation for the end-user is reduced to publishing a single CNAME record.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT