overview
Microsoft has recently disclosed an unpatched vulnerability that could expose NTLM hashes to an attacker, tracked as CVE-2024-38200.
Microsoft has assessed the exploitability of the vulnerability as less likely, however MITRE considers the probability of exploit highly probable. The difference in assessments is likely because exploiting CVE-2024-38200 requires user interaction. An attacker could host a website, or leverage a compromised web-site with specially crafted files that could exploit the vulnerability.
In this scenario, an attacker has no way to force user interaction and would have to fallback on social engineering to convince the user to visit the site and click the link.
Microsoft has enabled an alternative fix as of Jul 30th, 2024, and recommends all customers update on August 13th, 2024. More information can be found here.
how avertium is protecting our customers
IOCs ADDED TO OUR THREAT FEEDS
At this time, there are no known IoCs associated with the above vulnerabilities. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
TTPs TO MONITOR
1. Initial Access (T1078):
- Depending on the context, attackers might initially acquire NTLM hashes from phishing or malware, allowing them to gain initial access to a network using credentials from compromised account.
2. Credential Access (T1003):
- Attackers may use the exposed NTLM hashes to gain unauthorized access to systems. They could perform pass-the-hash attacks, which involve using the hashes to authenticate without needing to crack them into plaintext passwords.
3. Lateral Movement (T1021):
- Once an attacker has access to NTLM hashes, they can use them to move laterally across the network. This can be done through techniques such as:
- Remote Services (T1021.001): Connecting to other systems using pass-the-hash.
- Exploitation of Remote Services (T1210): To exploit vulnerabilities in network services that may also accept NTLM authentication.
4. Privilege Escalation (T1068):
- If the attacker can authenticate with the NTLM hashes and gain access to higher-privileged accounts, they may attempt privilege escalation on those systems.
ADDITIONAL SERVICE OFFERINGS
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
- Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
- Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
- Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
- Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
SUPPORTING DOCUMENTATION