Identity & Access

New NTLM Hash Leak Attacks Target Outlook, Windows Programs

Varonis finds one vulnerability and three attack methods that can be used to obtain NTLM hashes via Outlook and two Windows programs.

Varonis finds one vulnerability and three attack methods that can be used to obtain NTLM hashes via Outlook and two Windows programs.

Data security firm Varonis has disclosed a new vulnerability and three attack methods for obtaining NTLM v2 hashes by targeting Microsoft Outlook and two Windows programs. 

The new vulnerability is tracked as CVE-2023-35636. It has been assigned an ‘important’ severity rating by Microsoft, which fixed it with its December 2023 Patch Tuesday updates. The remaining issues have been assigned a ‘moderate’ severity rating and currently remain unpatched, Varonis said. 

NTLM v2 is a protocol used to authenticate users to remote servers. An NTLM v2 hash of a user’s password can be valuable for malicious actors as they could either launch a brute-force attack and obtain the plaintext password, or they could use the hash directly for authentication.

Varonis showed that an attacker could exploit CVE-2023-35636 to obtain NTLM hashes by sending a specially crafted email to the targeted Outlook user.

The vulnerability leverages a calendar sharing function in Outlook. The attacker needs to send an email containing two specially crafted headers: one informs Outlook that the message contains sharing content and the other points the victim’s Outlook session to a server controlled by the attacker. 

If the victim clicks on ‘Open this iCal’ in the malicious message, their device attempts to obtain the configuration file from the attacker’s server, with the NTLM hash getting exposed during the authentication process. 

Another way of obtaining the NTLM v2 hash is by abusing the Windows Performance Analyzer (WPA) tool, which is often used by developers. Varonis researchers discovered that a special URI handler is used to process WPA-related links, but it attempts to authenticate using NTLM v2 over the open internet, which exposes the NTLM hash. 

This method involves sending an email that contains a link designed to redirect the victim to a malicious WPA payload on a site controlled by the attacker.

Advertisement. Scroll to continue reading.

The remaining two attack methods uncovered by Varonis involve abuse of the Windows File Explorer. Unlike WPA, which is mainly found on the machines of software developers, File Explorer is present on every Windows computer. 

There are two variations of the File Explorer attack, both involving the attacker sending a malicious link to the targeted user via email, social media or other channels. 

“Once the victim clicks the link, the attacker can obtain the hash and then try to crack the user’s password offline,” Varonis explained. “Once the hash has been cracked and the password obtained, an attacker can use it to log on to the organization as the user. With this payload, the explorer.exe will try to query for files with the .search-ms extension.”

Related: Russian APT Used Zero-Click Outlook Exploit

Related: Microsoft Patches Another Already-Exploited Windows Zero-Day

Related Content

Vulnerabilities

MITRE is unable to compile a list of all new vulnerabilities, and NIST is unable to subsequently, and consequently, provide an enriched database of...

Risk Management

By prioritizing vulnerabilities based on risk and aligning security efforts with business objectives, organizations can enhance their resilience to cyberattacks, optimize resource allocation, and...

Vulnerabilities

Three vulnerabilities in CU Solutions Group CMS exposed 275 credit unions to credential theft, account takeover.

Vulnerabilities

Microsoft says a newly patched Exchange Server vulnerability (CVE-2024-21410) has been exploited in attacks.

Malware & Threats

Akamai researchers document more vulnerabilities and patch bypasses leading to zero-click remote code execution in Microsoft Outlook.

Data Protection

Dell is informing PowerProtect DD product customers about 8 vulnerabilities, including many rated ‘high severity’, and urging them to install patches.

Cyberwarfare

Russian threat actor APT28 has been exploiting a no-interaction Outlook vulnerability in attacks against 14 countries.

Artificial Intelligence

Bug hunters uncover over a dozen exploitable vulnerabilities in tools used to build chatbots and other types of AI/ML models.

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version