Hacking

Mysterious hack allows attackers stealing Windows login credentials without user interaction

Microsoft fixed a vulnerability that could allow hackers to steal Windows login credentials without any user interaction.

Microsoft fixed a serious vulnerability that could allow attackers to steal Windows NTLM password hashes without any user interaction.

The tech giant patched the issues only for recent versions Windows (Windows 10 and Server 2016), to trigger the flaw the attacker just needs to do is to place a specially crafted Shell Command File (SCF file) inside publicly accessible Windows folders.

Once the attacker has placed the file in the folder, it executes due to the security issue, gathers the machine NTLM password hash, and sends it back to the attacker’s server.

Then the attacker can easily crack the NTLM password hash to access the victim’s computer. The hack was reported to Microsoft in May by the Columbian security researcher Juan Diego.

“It is a known issue that Microsoft NTLM architecture has some failures, hash stealing is not something new, it is one of the first things a pentester tries when attacking a Microsoft environment. But, most of these techniques require user intervention or traffic interception to fulfill the attack.” wrote Juan Diego.

“These new attacks require no user interaction, everything is done from the attacker’s side, but of course, there are some conditions that need to be met to be successful with this attack.”

Older Windows versions remain vulnerable because the registry modifications are not compatible with older versions of the Windows Firewall.

Accordingly to Microsoft, all Windows versions since 3.11 till Windows 10, Desktop and server are vulnerable to this kind of attack.” explained Diego.

“Honestly, I have only tested on Windows 7 and Windows 10, then I passed the ball to Microsoft ?”

The good news is that the hack doesn’t work against machines with shared folders that are protected by a password, and this is the default option in Windows limiting the extent of the vulnerability.

Nonetheless, in many cases the Windows users need to share folders without a password according to their needs, opening their systems for attacks.

Microsoft fixed the issue with the October Patch Tuesday via the ADV170014 security advisory.

Be careful, the ADV170014 is an optional patch, installing it is highly recommended.

Diego was not able to detail why the attack was possible, in previously known attacks leveraging SCF files, in order to trigger the flaw, the victim should have had access the folder.

In the attack scenario detailed by Diego, the SCF files are executed just after the attacker place it in the shared folder without needing user’s interaction.

According to Bleepingcomputers.com, Microsoft acknowledged another security researcher, Stefan Kanthak, for reporting the issue.

“While Diego has reported his attack to Microsoft, it was German researcher Stefan Kanthak who got an acknowledgment from Microsoft for the fixed issue, as he too reported similar bugs in March 2017.” reported Bleeping computer.

“Microsoft did (as every so often) a POOR job, the updates published this month close only 2 of the 6 distinct weaknesses I reported,” Kanthak told Bleeping via email, hinting that more ways to exploit pass-the-hash attacks exist.

Let me close with mitigation provided by Diego:

“Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.

Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.” suggested the expert.

“My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.

The better approach, don’t share folders without passwords, that’ll do the trick.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Windows login credentials, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.