fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector

Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector

A recent security update for a Windows NTLM Relay Attack has been confirmed to be a previously unfixed vector for the PetitPotam attack.

During the May 2022 Patch Tuesday, Microsoft released a security update for an actively exploited NTLM Relay Attack labeled as a ‘Windows LSA Spoofing Vulnerability’ and tracked as CVE-2022-26925.

“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.”

An NTLM Relay Attack allows threat actors to force devices, even domain controllers, to authenticate against malicious servers they control. Once a device authenticates, the malicious server can impersonate the device and gain all of its privileges.

Also Read: The Top 4W’s of Ethical Hacking

These attacks are significant problems as they could allow a threat actor to gain complete control over the domain.

While Microsoft did not share too many details about the bug, they stated that the fix affected the EFS API OpenEncryptedFileRaw(A/W) function, which indicated that this might be another unpatched vector for the PetitPotam attack.

Confirmed to be part of Petitotam

PetitPotam is an NTLM Relay Attack tracked as CVE-2021-36942 that French security researcher GILLES Lionel discovered, aka Topotam, in July.

The PetitPotam attack allowed unauthenticated users to use the EfsRpcOpenFileRaw function of the MS-EFSRPC API to force a device to perform NTLM authentication against attacker-controlled servers.

A demonstration of this attack can be viewed below.

While Microsoft fixed part of the PetitPotam vulnerability in August 2021, there were still unpatched vectors that allowed the bug to be abused by attackers.

When we contacted Microsoft to confirm if the NTLM Relay vector patched this month was related to PetitPotam, they responded with a stock response that did not answer our questions.

“A security update was released in May. Customers who apply the update, or have automatic updates enabled, will be protected. We are continuously improving security for our products and encourage customers to turn on automatic updates to help ensure they are protected.” ​– a Microsoft spokesperson.

However, BleepingComputer has since confirmed that the recently fixed NTLM Relay Attack bug does, in fact, fix an unpatched vector for the PetitPotam attack.

Raphael John, who Microsoft attributes for the discovery of the new NTLM Relay vulnerability, says that he discovered that PetitPotam was still working when conducting pentests in January and March.

However, when he disclosed it to Microsoft, they fixed it under a new CVE rather than the original one assigned to PetitPotam.

Also Read: What is Social Engineering and How Does it Work?

“I made it very clear in the report, that it is just PetitPotam and nothing I found out or changed,” Raphael John told BleepingComputer in a conversation.

PetitPotam continued to work after Microsoft fixed it because Topotam discovered a bypass to the August security update and added it to his tool in January 2022.

Gilles has confirmed to BleepingComputer that the new security update has now fixed the PetitPotam ‘EfsRpcOpenFileRaw’ vector, but other EFS vectors still exist, allowing the attack to work.

“All functions of petitpotam, as others vectors, still works except efsopenfileraw,” Gilles told BleepingComputer.

As new PetitPotam vectors and other NTML Relay attacks will be discovered in the future, Microsoft suggests that Windows domain admins become familiar with the mitigations outlined in their ‘Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)‘ support document.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us