Security News > 2024 > January > Attackers can steal NTLM password hashes via calendar invites

A recently patched vulnerability in Microsoft Outlook that can be used by attackers to steal users' NTLM v2 hashes can be exploited by adding two headers to an email carrying a specially crafted file, security researcher Dolev Taler has shared on Friday.

He and his colleagues from Varonis Threat Labs have revealed two additional ways attackers can get users' NTLM v2 hashes and use them for offline brute-force or authentication relay attacks.

NTLM v2 - the most current iteration of the NTLM cryptographic protocol - is used by Microsoft Windows to authenticate users to remote servers via password hashes.

Compromised NTLM v2 password hashes can be used in authentication relay attacks or can be brute-forced to reveal the hashed password.

How to keep NTLM v2 hashes out of attackers' hands.

In the meantime, there are several ways organizations can protect themselves against NTLM v2 attacks, Taler added: by switching on SMB signing, by blocking outgoing NTLM v2 authentication, and by forcing Kerberos authentication whenever possible and blocking NTLM v2 on both the network and applicative levels.

News URL

https://www.helpnetsecurity.com/2024/01/22/attackers-steal-ntlm-hashes/