In recent years, enterprise security teams have lived in fear of the dreaded APT -- associated with attackers who...
are relentless and tend to use the latest and greatest malware. But a security vendor has warned that there are plenty of less sophisticated, equally devastating attacks that hinge on trickery and simple code, often eschewing advanced malware entirely.
Case in point, researchers from application security vendor Imperva Inc. recently released a report showcasing how flaws in the NT LAN Manager (NTLM) -- a challenge-response authentication protocol used by Microsoft -- could be exploited by an attacker to gain the access rights of numerous users on an enterprise network, with potentially catastrophic consequences.
[NTLM relay] is pretty easy to do and gets me the same result as a sophisticated cyberattack.
Sagie Dulce, data researcher, Imperva
To take advantage of weakness in the NTLM protocol, attackers simply need to gain an initial foothold on a single enterprise machine -- a feat that can be easily accomplished without malware, using methods like spearphishing and stealing devices. With access to that machine, a number of NTLM security vulnerabilities are available for attackers to exploit, from a problem with its authentication-response calculation to a weak challenge-response algorithm.
An easy, yet devastating option available to attackers is what Imperva describes as "poisoning the well" -- essentially planting a maliciously crafted icon in a folder on a file share server. A user clicking on such a folder initiates what is known as an NTLM relay, an attack that provides a frightening level of access to a malicious actor with minimal effort.
"Creating a shortcut with a custom icon is extremely simple either through the Windows UI or through a simple code," said Imperva researchers, who also provided some sample code. "Poisoning the well allows an attacker to quickly achieve an access level to the file server that is equivalent to the sum total of privileges granted to all users together."
The security community has long known about NTLM security issues, and Microsoft itself has warned that the protocol does not support recent cryptographic standards like SHA-256, adding that those in a position to use the updated Kerberos protocol should do so. Still, NTML shows up in many corporate environments largely due to issues of backwards compatibility.
While NTLM can be exploited in a potentially ruinous manner, Sagie Dulce, a data researcher with Redwood Shores, Calif.-based Imperva, cautioned that such problems are hardly exclusive to the authentication protocol, and that the vendor's research was meant more to call attention to a larger issue -- namely the numerous avenues of exploitation available to attackers.
"The interesting thing about NTLM is that it is old, it has tons of security flaws and yet everyone still uses it," said Dulce. "By using a simple vulnerability that everyone knows about, I can just run a simple Python script and get access to every machine in an organization. [NTLM relay] is pretty easy to do and gets me the same result as a sophisticated cyberattack."
Easily deployed attacks against widely used protocols like NTLM completely invert the cost-to-benefit ratio for attackers, according to Barry Shteiman, director of security strategy for Imperva. Whereas developing a zero-day exploit or unique malware may take months and thousands of dollars, Shteiman said an attacker could instead target weakness that everyone already knows exists, but that many enterprises fail to patch.
To mitigate NTLM-based attacks, security teams could either upgrade the protocol to the latest version, said Shteiman, or ideally move to the Kerberos protocol and ditch NTLM altogether. More broadly though, Shteiman indicated that enterprises should consider monitoring Active Directory and sensitive data for unusual changes -- a strategy that may not keep attackers from infiltrating a network, but can help keep them from exfiltrating an organization's crown jewels.
"You don't need to wait for the malware to infiltrate a user's computer," said Shteiman. "If you're aware that the data is being accessed from a computer that you don't allow, that's what matters.
"Every time that you build a defense on top of protocol, you can find a vulnerability. Look at Heartbleed a few weeks ago," continued Shteiman. "It's very difficult to find a way to block a persistent user [who] is after data."