NTLM Reflection Attack? Not for Preempt Customers
NTLM strikes again! Microsoft released a patch this week, CVE-2019-1384, which addresses a bypass vulnerability that allows attackers to successfully launch NTLM reflection attacks when NTLM relay is not properly mitigated on the attacked machine. NTLM reflection is a special NTLM relay attack that happens when the NTLM session messages are relayed to the machine that initially originated the NTLM session. NTLM reflection is particularly lethal since typically the user has high privileges on the machine that originated the session.
Preempt customers are safe from NTLM reflection attacks because Preempt monitors all NTLM sessions when they are authenticating against the domain controller. Preempt will alert you when this exploit happens and help you track the remediation of this incident through one central location.
Background on NTLM Reflection Attacks
This vulnerability was discovered by Danyal Drew (more in his insightful blog post) who dubbed this vulnerability “Ghost Potato” after previous vulnerabilities “Hot Potato”, a Windows privilege escalation, and “Rotten Potato”, a privilege escalation from service accounts.
This vulnerability — along with recent NTLM vulnerabilities discovered by the Preempt research team such as Drop the MIC (CVE-2019-1040), Drop the MIC 2 (CVE-2019-1166), and the “Printer Bug” (weaponized by Lee Christensen) — is a recipe for an easy compromise of your domains.
How Preempt Mitigates the Attack
Preempt customers are safe from this exploit because our solution will immediately alert on any NTLM relay exploitation attempt. Under incidents, you can also track the investigation of the NTLM relay attack and ensure that any exploit is being immediately resolved in one easy location:
The Preempt Platform alerts on many weak NTLM configurations that allow NTLM relay such as misconfigurations with:
- SMB signing – Preempt analyzes all GPOs in the network and will alert on machines that do not require SMB signing. Just because a machine enforces SMB signing does not make them immune to NTLM relay/reflection attacks.
- NTLMv1 Support – NTLMv1 is extremely weak and may allow for many of the above-described attacks to affect even fully patched machines. Some older OS versions still have NTLMv1 enabled by default. Preempt can help you detect these vulnerable machines and apply the proper remediation.
- LDAP signing and LDAPS channel binding – This is one of the biggest gaps that currently affects an organization’s security posture. Most organizations are not fully protected against CVE-2017-8563, an LDAPS relay attack. We will be presenting on how Preempt customers can be protected against an LDAP relay attack in an upcoming blog post.
- Privileged machines with spooler service enabled – When the spooler service is enabled, attackers can relay NTLM sessions without any user interaction. When machines are privileged (e.g., domain controllers), this makes NTLM relay especially lethal to organizations. We will also be presenting on how Preempt customers can be protected against this misconfiguration in an upcoming blog post.
Finally, the NTLM protocol is weak and has many issues (some of which simply cannot be resolved). Preempt allows IT teams to monitor all NTLM traffic and generate reports on the NTLM usage in the network. By being able to monitor the traffic, they can gradually reduce NTLM usage over time.
If you have questions about this vulnerability and how Preempt can help, please contact us at firstname.lastname@example.org.
Monnia Deng contributed to this blog post.
Posted by Yaron Zinar on November 13, 2019 8:40 PM