Security News

A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. After ransomware topics were banned on hacking forums [1, 2], LockBit began promoting the new LockBit 2.0 ransomware-as-a-service operation on their data leak site.

Microsoft has released a cumulative out-of-band update to fix a known printing issue preventing some printers and scanners from working correctly. "Noncompliant printers, scanners, and multifunction devices might not work when you use smart card authentication. This issue occurs after you install the July 13, 2021 update on domain controllers in your environment."

To ward off the attack known as PetitPotam, Microsoft advises you to disable NTLM authentication on your Windows domain controller. Microsoft is sounding an alert about a threat against Windows domain controllers that would allow attackers to capture NTLM credentials and certificates.

A newly uncovered security flaw in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain. Specifically, the attack enables a domain controller to authenticate against a remote NTLM under a bad actor's control using the MS-EFSRPC interface and share its authentication information.

Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC to force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay. "PetitPotam takes advantage of servers," said Microsoft, "Where the Active Directory Certificate Services is not configured with protections for NTLM Relay Attacks."

The hack, which he has dubbed PetitPotam, involves what's known as an NTLM relay attack, which is a form of manipulator-in-the-middle attack against Microsoft's NTLM authentication system. Microsoft has been advising everyone to avoid NTLM, short for NT LAN Manager, for more than a decade, because it doesn't meet modern cryptographic security standards.

Enterprises have been warned of a new attack method that can be used by malicious actors to take complete control of a Windows domain. An unauthenticated attacker can use PetitPotam to get a targeted server to connect to their server and perform NTLM authentication.

Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly. As we reported last week, the vulnerability - SeriousSAM - allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash attack.

Windows 11 was officially announced last month with a redesigned Start, taskbar and Action Center experience. At the moment, Windows 11 is available to testers in the Dev Channel of the Insider program.

Kaseya obtains universal REvil decryptorThere's finally some good news for the MSPs and their customers that have been hit by the REvil ransomware gang via compromised Kaseya VSA software: a universal decryptor has made it available to affected organizations. Easily exploitable, unpatched Windows privilege escalation flaw revealedA researcher has unearthed an easily exploitable vulnerability in Windows 10 that may allow local non-administrative users to gain administrative-level privileges.