The Information Highway

The Information Highway

Font size: +
2 minutes reading time (379 words)

Active exploitation of Microsoft vulnerability

Threat update

Microsoft announced that a recently disclosed security flaw had been exploited just one day after it released fixes for the vulnerability. CVE-2024-21410, an Exchange Server vulnerability, with a CVSS score of 9.8, allows threat actors to escalate privileges of the affected Exchange Server.

Technical Detail and Additional Info

What is the threat?

CVE-2024-21410 can allow remote unauthenticated threat actors to escalate privileges in New Technology LAN Manager (NTLM) and execute relay attacks targeting vulnerable versions of Microsoft Exchange Server. Threat actors can force a network device, such as a server or domain controller, to authenticate against an NTLM relay under their control to impersonate the targeted devices and elevate their privileges. 

Why is it noteworthy?

While specific details regarding the exploitation and the identity of the threat actors behind it are currently undisclosed, it's worth noting the historical association with hacker groups such as APT28. These groups have a track record of exploiting vulnerabilities in Microsoft Outlook, particularly for staging NTLM relay attacks. Recently, they've been linked to NTLM relay attacks targeting high-value entities since at least April 2022. These attacks have focused on organizations spanning foreign affairs, energy, defense, transportation, labor, social welfare, finance, parenthood, and local city councils. 

What is the exposure or risk?

This flaw presents an opportunity for attackers to conduct credential-leaking attacks against NTLM clients like Outlook. Microsoft warns that the leaked credentials can be relayed to an Exchange server. Successful exploitation can lead to the attacker assuming the victim client's privileges and execute operations on the Exchange server. 

What are the recommendations?

LBT Technology Group, LLC. recommends the following actions to mitigate the impact of CVE-2024-21410:

  • Implement Exchange Server 2019 Cumulative Update 14 (CU14) which includes NTLM credentials relay protection to reduce risks from this vulnerability.
  • Use the ExchangeExtendedProtectionManagement PowerShell script for versions prior to Exchange Server 2019 to activate extended protection (EP).
  • Review Microsoft's EP documentation to identify and address any potential issues. Conduct thorough assessments of the environment before enabling EP.

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.


CISA tags Microsoft SharePoint RCE bug as actively...
New GoFetch attack on Apple Silicon CPUs can steal...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023