Microsoft on Wednesday acknowledged that a recently disclosed critical security flaw in Trade Server has been actively exploited in the wild, a day immediately after it unveiled fixes for the vulnerability as portion of its Patch Tuesday updates.
Tracked as CVE-2024-21410 (CVSS rating: 9.8), the issue has been explained as a case of privilege escalation impacting the Trade Server.
“An attacker could goal an NTLM shopper this kind of as Outlook with an NTLM credentials-leaking kind vulnerability,” the company mentioned in an advisory posted this 7 days.
“The leaked credentials can then be relayed against the Trade server to acquire privileges as the target shopper and to complete operations on the Trade server on the victim’s behalf.”
Effective exploitation of the flaw could permit an attacker to relay a user’s leaked Net-NTLMv2 hash versus a prone Trade Server and authenticate as the consumer, Redmond included.
The tech huge, in an update to its bulletin, revised its Exploitability Assessment to “Exploitation Detected,” noting that it has now enabled Prolonged Safety for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14) update.
Aspects about the character of the exploitation and the identity of the risk actors that could be abusing the flaw are presently unknown. Nonetheless, Russian point out-affiliated hacking crews these kinds of as APT28 (aka Forest Blizzard) have a historical past of exploiting flaws in Microsoft Outlook to phase NTLM relay attacks.
Previously this thirty day period, Craze Micro implicated the adversary to NTLM relay attacks focusing on high-worth entities at minimum considering the fact that April 2022. The intrusions targeted organizations dealing with international affairs, vitality, defense, and transportation, as properly as individuals concerned with labor, social welfare, finance, parenthood, and neighborhood metropolis councils.
CVE-2024-21410 adds to two other Windows flaws โ CVE-2024-21351 (CVSS rating: 7.6) and CVE-2024-21412 (CVSS rating: 8.1) โ that have been patched by Microsoft this week and actively weaponized in actual-environment assaults.
The exploitation of CVE-2024-21412, a bug that allows a bypass of Windows SmartScreen protections, has been attributed to an state-of-the-art persistent danger dubbed Drinking water Hydra (aka DarkCasino), which has beforehand leveraged zero-days in WinRAR to deploy the DarkMe trojan.
“The group employed internet shortcuts disguised as a JPEG impression that, when selected by the person, allows the threat actor to exploit CVE-2024-21412,” Development Micro reported. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as component of its attack chain.”
Microsoft’s Patch Tuesday update also addresses CVE-2024-21413, yet another critical shortcoming influencing the Outlook email software package that could outcome in remote code execution by trivially circumventing security steps these kinds of as Guarded Watch.
Codenamed MonikerLink by Test Issue, the issue “enables for a broad and severe effects, different from leaking of neighborhood NTLM credential details to arbitrary code execution.”
The vulnerability stems from the incorrect parsing of “file://” hyperlinks by incorporating an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///\10.10.111.111testtest.rtf!some thing”).
“The bug not only permits the leaking of the local NTLM facts, but it might also allow distant code execution and far more as an attack vector,” the cybersecurity business mentioned. “It could also bypass the Place of work Secured Look at when it really is made use of as an attack vector to focus on other Office apps.”
Found this write-up exciting? Stick to us on Twitter ๏ and LinkedIn to examine far more unique information we write-up.
Some parts of this article are sourced from:
thehackernews.com