Colorado Man Finds He Was Billed for Neighbor's Electricity Meter for 16 Yrs. When Trying to Reduce His Xcel Energy Bill
Jun 04, 2023Poland’s PGE Dystrybucja’s smart meters rollout to get under way
May 29, 2023EEDC introduces mobile metering in Imo
May 15, 2023Virginia Ski Resort Adding New Solar Array To Power Waterpark
May 07, 2023Ukraine Hunts the World for Parts to Fix Crippled Energy Grid
Apr 27, 2023Exploit released for new Windows Server "WinReg" NTLM Relay attack
Proof-of-concept exploit code is now public for a vulnerability in Microsoft's Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process.
The vulnerability is tracked as CVE-2024-43532 and takes advantage of a fallback mechanism in the Windows Registry (WinReg) client implementation that relies on old transport protocols if the SMB transport is not present.
An attacker exploiting the security issue could relay NTLM authentication to Active Directory Certificate Services (ADCS) to obtain a user certificate for further domain authentication.
The flaw affects all Windows server versions 2008 through 2022 as well as Windows 10 and Windows 11.
CVE-2024-43532 stems from how Microsoft's Remote Registry client handles RPC (Remote Procedure Call) authentication during certain fallback scenarios when SMB transport is unavailable.
When this happens, the client switches to older protocols like TCP/IP and uses a weak authentication level (RPC_C_AUTHN_LEVEL_CONNECT), which doesn't verify the authenticity or integrity of the connection.
An attacker could authenticate to the server and create new domain administrator accounts by intercepting the NTLM authentication handshake from the client and forwarding it to another service, such as the (ADCS).
Successfully exploiting CVE-2024-43532 results into a new way to carry out a NTLM relay attack, one that leverages the WinReg component to relay authentication details that could lead to domain takeover.
Some threat actors have used NTLM relay attack methods in the past to take control of Windows domains. One example is the LockFile ransomware gang, who targeted organizations various organizations in the U.S. and Asia using PetitPotam shortly after it was discovered.
The vulnerability was discovered by Akamai researcher Stiv Kupchik, who disclosed it to Microsoft on February 1. However, Microsoft dismissed the report on April 25 "as documentation issue."
In mid-June, Kupchik resubmitted the report with a better proof-of-concept (PoC) and explanation, which led to Microsoft confirming the vulnerability on July 8. Three months later, Microsoft released a fix.
The researcher has now released a working PoC for CVE-2024-43532 and explained the exploitation process, from creating a relay server to obtaining a user certificate from the target, during the No Hat security conference in Bergamo, Italy.
Akamai's report also provides a method to determine if the Remote Registry service is enabled on a machine as well as a YARA rule to detect clients that use a vulnerable WinAPI.
The researchers also recommend using Event Tracing for Windows (ETW) to monitor for specific RPC calls, including those related to the WinReg RPC interface.
Palo Alto Networks warns of firewall hijack bugs with public exploit
Critical Progress WhatsUp RCE flaw now under active exploitation
Hackers targeting WhatsUp Gold with public exploit since August
Exploit code released for critical Ivanti RCE flaw, patch now
Microsoft fixes Word bug that deleted documents when saving
Internet Archive breached again through stolen access tokens
Microsoft creates fake Azure tenants to pull phishers into honeypots
Over 6,000 WordPress hacked to install plugins pushing infostealers
Exchange during an NTLM authentication relay attack.