Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Sneaky Windows Folder Poisoning Attack Steals Access Rights

Windows challenge-response authentication protocol could be abused by PC hackers to easily access wider corporate networks.

 

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Beware of an attack that uses modified shortcut icons to trick Windows machines into sharing their network-access rights with a hacked PC.

That warning was sounded Tuesday by researchers at data center security vendor Imperva, who said they've discovered a way to poison Windows folders and gain the access rights of anyone who browses to that folder. The hack involves exploiting a relaying feature in Microsoft NT LAN Manager (NTLM), which is a widely used Windows challenge-response authentication protocol.

"Poisoning is a big word for saying I'm creating a file in that folder that has an icon pointing back to my computer; that's GUI stuff," said Amichai Shulman, CTO of Imperva, in an interview at last week's Infosecurity Europe conference.

Anyone who can be tricked into clicking on a folder containing such a shortcut icon will launch an NTLM relay, which passes their authentication credentials via the compromised PC to Active Directory and then gives the compromised PC the same access rights. Furthermore, it's easy for would-be relay attackers to disguise any related malicious shortcuts simply by right-clicking on a shortcut file and changing its icon.

[More than 250 data breaches occurred in Q1 2014, report says. Read Report: Nearly 200 Million Records Compromised In Q1.]

Riffing on the advanced persistent threat (APT) concept, Shulman called this type of attack a "non-advanced persistent threat" since it requires only basic skills but still allows an attacker who's able to hack into a corporate PC -- for example, via a malware infection -- to gain access to further network-connected systems. "Most of the setup is manual, using the GUI, and you probably need to download one tool from the Internet," he added.

Shulman said similar types of attacks can be launched beyond Windows. Other potential targets include Jive, SharePoint, or other collaboration software, especially if it includes the ability to publish small blurbs of information via feeds, together with small images, as these images can used by attackers to point to remote machines and launch NTLM relay attacks.

According to a related research report published Tuesday by Imperva, the flaws that enable this attack to be launched are present in both version 1 and version 2 of NTLM.

While declining to detail exactly how the flaws could be exploited -- and noting that Imperva has no indication that these attacks have been used in the wild -- Shulman said would-be attackers could quickly work out the specifics, if they hadn't already done so. "I think there's enough detail to reconstruct the attack. It's hard not to... it's not like I have to describe some esoteric buffer overflow vulnerability. It's just something you can achieve using a shell command line and GUI in Windows."

The attack detailed by Imperva isn't the first NTLM-related vulnerability to be discovered. Indeed, in recent years, information security professionals have urged businesses to ditch the authentication protocol. "NTLM is to be avoided... especially in high-security environments," said Senne Van Laer, a consultant at ITS Group Benelux, in a 2011 post to the official Microsoft NTLM page inside the Windows Dev Center community.

That's because prior to the attack outlined by Imperva, researchers discovered multiple weaknesses in NTLM that allow attackers who can eavesdrop on an NTLM challenge and response to calculate the hash that's used for authentication. Attackers can then use this hash to authenticate to network resources.

The solution to these NTLM weaknesses is ostensibly simple: Disable NTLM. "However, disabling NTLM can be quite a challenge as authentication with third-party tools, applications or appliances often relies on it, and the fact that Kerberos requires the hostname to be able to authenticate," Van Laer wrote in his post. "A lot of issues can be expected for applications that connect using IP only." Accordingly, he recommends that any organization that still employs NTLM implement strong and long passwords involving more than 10 characters, at least for administrative accounts, to make them less susceptible to rainbow table attacks.

Imperva's Shulman said that NTLM-using businesses can also create baselines of file-access behavior -- users, which files they typically access, and when -- and watch for deviations, which may be signs of high-level abuse patterns.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
5/9/2014 | 3:47:06 AM
Insidious
The attack scenarios that exploit the NTLM are well known, they are very insidious and poses serious risks, especially for enterprises, that's why it is suggested to avoid its use in high sensitive industry. 

I find very dangerous possible exploitation of the highlighted flaw by insiders, especially if they use a specifically designed malicious code that exploit the flaw to gather credentials to the overall resources within a network.

 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.