fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows ‘RemotePotato0’ Zero-day Gets an Unofficial Patch

Windows ‘RemotePotato0’ Zero-day Gets an Unofficial Patch

A privilege escalation vulnerability impacting all Windows versions that can let threat actors gain domain admin privileges through an NTLM relay attack has received unofficial patches after Microsoft tagged it as “won’t fix.”

The vulnerability, dubbed RemotePotato0 Sentinel LABS researcher Antonio Cocomazzi and independent researcher Andrea Pierini, who found it and disclosed it in April 2021, is a zero-day flaw (according to Microsoft’s own definition) that is yet to receive a CVE ID after Redmond refused to issue a fix.

It makes it possible for attackers to trigger authenticated RPC/DCOM calls and relay the NTLM authentication to other protocols, which allows them to elevate privileges to domain administrator, likely allowing full domain compromise.

Also Read: 6 Ways to Protect Your Business From Employee Data Theft

“It allows a logged-in low-privileged attacker to launch one of several special-purpose applications in the session of any other user who is also currently logged in to the same computer, and make that application send said user’s NTLM hash to an IP address chosen by the attacker,” 0patch co-founder Mitja Kolsek explained in a blog post sharing info on free micropatches released to block RemotePotato0 exploitation on impacted servers.

“Intercepting an NTLM hash from a domain administrator, the attacker can craft their own request for the domain controller pretending to be that administrator and perform some administrative action such as adding themselves to the Domain Administrators group.”

While the attackers would have to trick home users with admin privileges into logging in at the time of the attack for successful exploitation.

However, as Kolsek said, this is a lot easier on Windows Server systems since multiple users are logged simultaneously, including administrators, thus eliminating the social engineering requirement.

A video demo of the RemotePotato0 micropatch in action is embedded below.

Admins told to disable NTLM or correctly configure servers

The Windows NT (New Technology) LAN Manager (NTLM) authentication protocol is used to authenticate remote users and to provide session security when requested by app protocols.

Kerberos has superseded NTLM, the current default auth protocol for domain-connected devices for all Windows 2000 and later.

Despite this, NTLM is still in use on Windows servers, allowing attackers to exploit vulnerabilities like RemotePotato0 designed to bypass NTLM relay attack mitigations.

Microsoft told the researchers that Windows admins should either disable NTLM or configure their servers to block NTLM relay attacks using Active Directory Certificate Services (AD CS).

The researchers “hope that MS reconsider their decision not to fix this serious vulnerability” since RemotePotato0 can be exploited without requiring the target’s interaction by relaying authentication to other protocols, unlike similar NTLM relay attack techniques using bugs like CVE-2020-1113 and CVE-2021-1678.

Also Read: The 6 Types of Shredder Security Levels: Advantage Business Equipment

Free patch available until Microsoft provides one

Until Microsoft decides to issue security updates for this vulnerability, the 0patch micropatching service has released free unofficial patches (known as micropatches).

0patch has developed the micropatches using information shared by Cocomazzi and Pierini in their April 2021 report.

The unofficial patches for RemotePotato0 are available for all Windows versions from Windows 7 to the latest Windows 10 version and from Windows Server 2008 to Windows Server 2019.

To install the micropatch on your system, you will first have to create a 0patch account and then install the 0patch agent.

After launching the agent, the micropatch will be applied automatically without a restart if you haven’t enabled any custom patching enterprise policy to block it.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us