Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
Some hacking techniques are still relevant. What is Microsoft waiting for?
Varonis, a cybersecurity company, has discovered a new vulnerability in Microsoft products, as well as several attack methods that allow attackers to get hashes of user passwords.
The vulnerability identified as CVE-2023-35636 affects the calendar sharing feature in Outlook and is rated "important" (6.5 points on the CVSS scale). An attacker can use it to send a specially generated email to the user, which will force Outlook to connect to the server controlled by the hacker and pass it the NTLM v2 hash for authentication.
NTLM v2 is a protocol used to authenticate users on remote servers. A hash of an NTLM v2 user's password can be valuable to attackers, since they can either run a brute-force attack and get the password in plaintext, or use the hash to authenticate directly.
Microsoft fixed CVE-2023-35636 as part of an unscheduled security update in December 2023, but some of the attack methods that attackers can also use to get their hands on the authentication hash still work.
So, one of the identified methods uses the Windows Performance Analyzer (WPA) utility, which is often used by developers. The researchers found that a special URI identifier is used to process WPA-related links, which attempts to authenticate using NTLM v2 over the Internet, which is what the NTLM hash reveals.
This method also involves sending an email containing a link designed to redirect the victim to a malicious WPA payload on a site controlled by the attacker.
Two other methods exploit the standard Windows file Explorer. Unlike WPA, which is not a default system component and is mostly used only by software developers, File Explorer is deeply integrated into Windows and is used daily by the vast majority of users. Both variants of the attack involve the attacker sending a malicious link to the target user via email, social networks, or other channels.
"As soon as the victim clicks on the link, the attacker can get the hash, and then try to crack the user's password offline," Varonis explained. "After cracking the hash and obtaining the password, an attacker can use it to log in to the organization as a user.
As noted above, CVE-2023-35636 was fixed in December, but the remaining issues are still relevant. Companies are advised to install the latest security updates and take additional measures to protect themselves from phishing attacks, so as not to fall victim to intruders.
Varonis, a cybersecurity company, has discovered a new vulnerability in Microsoft products, as well as several attack methods that allow attackers to get hashes of user passwords.
The vulnerability identified as CVE-2023-35636 affects the calendar sharing feature in Outlook and is rated "important" (6.5 points on the CVSS scale). An attacker can use it to send a specially generated email to the user, which will force Outlook to connect to the server controlled by the hacker and pass it the NTLM v2 hash for authentication.
NTLM v2 is a protocol used to authenticate users on remote servers. A hash of an NTLM v2 user's password can be valuable to attackers, since they can either run a brute-force attack and get the password in plaintext, or use the hash to authenticate directly.
Microsoft fixed CVE-2023-35636 as part of an unscheduled security update in December 2023, but some of the attack methods that attackers can also use to get their hands on the authentication hash still work.
So, one of the identified methods uses the Windows Performance Analyzer (WPA) utility, which is often used by developers. The researchers found that a special URI identifier is used to process WPA-related links, which attempts to authenticate using NTLM v2 over the Internet, which is what the NTLM hash reveals.
This method also involves sending an email containing a link designed to redirect the victim to a malicious WPA payload on a site controlled by the attacker.
Two other methods exploit the standard Windows file Explorer. Unlike WPA, which is not a default system component and is mostly used only by software developers, File Explorer is deeply integrated into Windows and is used daily by the vast majority of users. Both variants of the attack involve the attacker sending a malicious link to the target user via email, social networks, or other channels.
"As soon as the victim clicks on the link, the attacker can get the hash, and then try to crack the user's password offline," Varonis explained. "After cracking the hash and obtaining the password, an attacker can use it to log in to the organization as a user.
As noted above, CVE-2023-35636 was fixed in December, but the remaining issues are still relevant. Companies are advised to install the latest security updates and take additional measures to protect themselves from phishing attacks, so as not to fall victim to intruders.
