The Information Highway

The Information Highway
Font size: +
  Print
2 minutes reading time (379 words)

Active exploitation of Microsoft vulnerability

236 Hits

Threat update

Microsoft announced that a recently disclosed security flaw had been exploited just one day after it released fixes for the vulnerability. CVE-2024-21410, an Exchange Server vulnerability, with a CVSS score of 9.8, allows threat actors to escalate privileges of the affected Exchange Server.

Technical Detail and Additional Info

What is the threat?

CVE-2024-21410 can allow remote unauthenticated threat actors to escalate privileges in New Technology LAN Manager (NTLM) and execute relay attacks targeting vulnerable versions of Microsoft Exchange Server. Threat actors can force a network device, such as a server or domain controller, to authenticate against an NTLM relay under their control to impersonate the targeted devices and elevate their privileges. 

Why is it noteworthy?

While specific details regarding the exploitation and the identity of the threat actors behind it are currently undisclosed, it's worth noting the historical association with hacker groups such as APT28. These groups have a track record of exploiting vulnerabilities in Microsoft Outlook, particularly for staging NTLM relay attacks. Recently, they've been linked to NTLM relay attacks targeting high-value entities since at least April 2022. These attacks have focused on organizations spanning foreign affairs, energy, defense, transportation, labor, social welfare, finance, parenthood, and local city councils. 

What is the exposure or risk?

This flaw presents an opportunity for attackers to conduct credential-leaking attacks against NTLM clients like Outlook. Microsoft warns that the leaked credentials can be relayed to an Exchange server. Successful exploitation can lead to the attacker assuming the victim client's privileges and execute operations on the Exchange server. 

What are the recommendations?

LBT Technology Group, LLC. recommends the following actions to mitigate the impact of CVE-2024-21410:

  • Implement Exchange Server 2019 Cumulative Update 14 (CU14) which includes NTLM credentials relay protection to reduce risks from this vulnerability.
  • Use the ExchangeExtendedProtectionManagement PowerShell script for versions prior to Exchange Server 2019 to activate extended protection (EP).
  • Review Microsoft's EP documentation to identify and address any potential issues. Conduct thorough assessments of the environment before enabling EP.

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.


0
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
Tags:
Exchange Server vulnerability CVE -2024-21410 security flaw block Microsoft move
CISA tags Microsoft SharePoint RCE bug as actively...
New GoFetch attack on Apple Silicon CPUs can steal...

About the author

LBT Technology Group, LLC.

LBT Technology Group, LLC.

As we navigate our ever-evolving cyber society, LBT Technology Group believes providing comprehensive IT services to others is essential. As a Managed IT Services Provider (MSP), we are positioned to eliminate your pain points by optimizing your technology, mitigating your cyber security risk footprint, and improving your cyber resilence. The focus we place on reducing the presistent cyber security risks to the confidentiality, integrity, and availability of your information systems and our proficiency in restoring IT services in the event of a cyber attack or technology outage separates us from our competitors--WE SIMPLIFY YOUR IT EQUATION.
Author's recent posts
More posts from author

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Friday, 17 May 2024

Captcha Image