Threat update

Microsoft announced that a recently disclosed security flaw had been exploited just one day after it released fixes for the vulnerability. CVE-2024-21410, an Exchange Server vulnerability, with a CVSS score of 9.8, allows threat actors to escalate privileges of the affected Exchange Server.

Technical Detail and Additional Info

What is the threat?

CVE-2024-21410 can allow remote unauthenticated threat actors to escalate privileges in New Technology LAN Manager (NTLM) and execute relay attacks targeting vulnerable versions of Microsoft Exchange Server. Threat actors can force a network device, such as a server or domain controller, to authenticate against an NTLM relay under their control to impersonate the targeted devices and elevate their privileges. 

Why is it noteworthy?

While specific details regarding the exploitation and the identity of the threat actors behind it are currently undisclosed, it's worth noting the historical association with hacker groups such as APT28. These groups have a track record of exploiting vulnerabilities in Microsoft Outlook, particularly for staging NTLM relay attacks. Recently, they've been linked to NTLM relay attacks targeting high-value entities since at least April 2022. These attacks have focused on organizations spanning foreign affairs, energy, defense, transportation, labor, social welfare, finance, parenthood, and local city councils. 

What is the exposure or risk?

This flaw presents an opportunity for attackers to conduct credential-leaking attacks against NTLM clients like Outlook. Microsoft warns that the leaked credentials can be relayed to an Exchange server. Successful exploitation can lead to the attacker assuming the victim client's privileges and execute operations on the Exchange server. 

What are the recommendations?

LBT Technology Group, LLC. recommends the following actions to mitigate the impact of CVE-2024-21410:

• Implement Exchange Server 2019 Cumulative Update 14 (CU14) which includes NTLM credentials relay protection to reduce risks from this vulnerability.
• Use the ExchangeExtendedProtectionManagement PowerShell script for versions prior to Exchange Server 2019 to activate extended protection (EP).
• Review Microsoft's EP documentation to identify and address any potential issues. Conduct thorough assessments of the environment before enabling EP.

References

 For more in-depth information about the recommendations, please visit the following links:

• Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug 
• Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation 

If you have any questions, please contact LBT's Sales Engineer.