overview

Threat Researchers with Acros security have recently confirmed the existence of a Windows zerod-day vulnerability that impacts all versions of Windows from 7 through 11 and Windows Server 2008 R2 and on.  

This zero-day currently has no CVE number and Microsoft does not currently plan to provide an official patch until April, at the earliest. This vulnerability resides in the “New Technology LAN Manager” or “NTLM” which is a suite of security protocols developed by Microsoft. NTLM is primarily used for Authentication (validating the identity of a user trying to access resources), Challenge-Response Mechanisms (ensuring passwords are not sent over the network in plaintext), and Compatibility with legacy systems that do not use more modern authentication protocols.  

This vulnerability would allow an attacker to obtain a user’s NTLM credentials by simply having the user view a malicious file inside Windows Explorer. Opening a folder in windows (a shared folder, the “Downloads” folder, etc…) where the file is stored would be enough – the user does not have to open the file for an attacker to exploit the vulnerability. Further technical details are currently being withheld until Microsoft rolls out an official patch to minimize the risk of exploitation.  

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

As of this writing there are no indications that this vulnerability has been exploited. As such, we have not added any new IoC’s to our Threat Feed.  
 
Instead, our Analysts are actively hunting for indications of Threat Actors who are known to target NTLM vulnerabilities as part of an attack.  

We are currently hunting for the following Threat Actors:  

  • APT 28 (Fancy Bear) 
  • APT41(Winnti) 
  • Conti  
  • LockBit 
  • FIN7 (Carbanak Group) 
  • TA505 
  • RomCom 

Avertium is tracking several thousand IoC’s related to these Threat Actors. If we discover indications that an environment is under attack, we will contact you directly.  



TTPs TO MONITOR

1. Credential Access -T1003.001 (LSASS Memory) – Using available tools like Mimikatz, attackers can extract NTLM hashes for offline cracking. 
  • -T1557 (Adversary-in-the-Middle) – Using NTLM relay, attackers can intercept authentication requests to seize legitimate credentials.  

2. Lateral Movement -T1075 (Pass the Hash) – Attackers can re-use NTLM hashes to move laterally via SMB/RDP without needing an actual password.  

3. Privilege Escalation -T1550.002 (Pass-the-Hash) – Similar to T1075, Attackers can use extracted NTLM hashes to impersonate highly privileged user accounts without an associated password. 

4. Defense Evasion -T1078 (Valid Accounts) – Using stolen NTLM credentials, attackers can gain control of legitimate user accounts, further compounding the difficulty associated with locking them out of the environment. 

 

 

additional recommendations + information

  • Prefer Kerberos over NTLM for authentication whenever possible. 
  • Protect against NTLM relay attacks by enforcing SMB signing. 
  • Use least privilege principles to restrict account access. 
  • Mitigate credential theft by requiring MFA for sensitive systems. 

Microsoft further recommends simply disabling NTLM wherever possible within your environment.  

There are also private companies, such as 0patch, who make it their business to develop patches for major vulnerabilities. They have advertised a patch on their website but, it is important to note that this company IS NOT the ultimate manufacturer and does not necessarily offer these patches for free. Any decision to use third-party software patches should be carefully weighed against your specific security requirements.  

Further information can be found at their official website 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

New Windows Warning As Zero-Day With No Official Fix Confirmed For All Users 

New Windows zero-day exposes NTLM credentials, gets unofficial patch 

Microsoft NTLM Zero-Day to Remain Unpatched Until April 

PoC Exploit for Zero-Click Vulnerability Made Available to the Masses 

PoC exploit code for CVE-2024-38063 (a similar NTLM flaw) 

KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) 

How does Windows NTLM zero-day flaw facilitate credential theft? 

 

 
Chat With One of Our Experts



windows vulnerability microsoft Flash Notice Microsoft Vulnerability Windows zero-day Microsoft Zero-Day Windows Blog