Security News

To ward off the attack known as PetitPotam, Microsoft advises you to disable NTLM authentication on your Windows domain controller. Microsoft is sounding an alert about a threat against Windows domain controllers that would allow attackers to capture NTLM credentials and certificates.

A newly uncovered security flaw in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain. Specifically, the attack enables a domain controller to authenticate against a remote NTLM under a bad actor's control using the MS-EFSRPC interface and share its authentication information.

Microsoft has released mitigations for the new PetitPotam NTLM relay attack that allows taking over a domain controller or other Windows servers. PetitPotam is a new method that can be used to conduct an NTLM relay attack discovered by French security researcher Gilles Lionel.

A newly identified NTLM relay attack abuses a remote procedure call vulnerability to enable elevation of privilege, researchers from cybersecurity firm SentinelOne reveal. The researchers used a DCOM client that was instructed to connect to a RPC server, operation that involved two NTLM authentications, one without the "Sign flag" being set, and also leveraged the fact that the DCOM activation service can be abused to trigger RPC authentication.

One of the vulnerabilities that Microsoft addressed on January 2021 Patch Tuesday could allow an attacker to relay NTLM authentication sessions and then execute code remotely, using a printer spooler MSRPC interface. Tracked as CVE-2021-1678, the vulnerability has been described by Microsoft as an NT LAN Manager security feature bypass, and is rated important for all affected Windows versions, namely, Windows Server, Server 2012 R2, Server 2008, Server 2016, Server 2019, RT 8.1, 8.1, 7, and 10.

A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities - including one remote code execution flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Watchcom added: "The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities."

Preempt researchers have discovered two vulnerabilities that may allow attackers to bypass a number of protections and mitigations against NTLM relay attacks and, in some cases, to achieve full...

Microsoft on Tuesday released security patches for nearly 90 vulnerabilities, including two Critical bugs impacting the proprietary authentication protocol NTLM. read more

Vulnerabilities in NTLM recently discovered by security provider Preempt could allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that...

The Preempt research team found two critical Microsoft vulnerabilities that consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. These vulnerabilities allow...