Data security firm Varonis has unearthed a fresh vulnerability and three attack techniques that could be employed to acquire NTLM v2 hashes by exploiting Microsoft Outlook and two Windows programs. The newly discovered vulnerability, dubbed CVE-2023-35636, has been classified as 'important' by Microsoft and was fixed in their December 2023 Patch Tuesday updates. However, the other issues, which have been rated as 'moderate' in severity, are still unpatched, according to Varonis.
NTLM v2 is a protocol that facilitates user authentication to remote servers. The NTLM v2 hash of a user's password can be a valuable asset for threat actors as it can be used directly for authentication or to launch a brute-force attack to obtain the plaintext password.
Varonis demonstrated how an attacker could exploit CVE-2023-35636 to acquire NTLM hashes by sending a specially designed email to the targeted Outlook user. This vulnerability exploits a calendar sharing feature in Outlook. The attacker sends an email with two specially crafted headers: one indicating that the message contains sharing content, and the other directing the victim's Outlook session to a server under the attacker's control. If the victim opens the 'Open this iCal' in the malicious message, their device attempts to get the configuration file from the attacker's server, exposing the NTLM hash during the authentication process.
Another method of obtaining the NTLM v2 hash involves exploiting the Windows Performance Analyzer (WPA) tool, commonly used by developers. Varonis researchers discovered a specific URI handler used to process WPA-related links, which attempts to authenticate using NTLM v2 over the open internet, thereby exposing the NTLM hash. This technique involves sending an email with a link designed to redirect the victim to a malicious WPA payload on a site controlled by the attacker.
The last two attack techniques discovered by Varonis involve manipulation of the Windows File Explorer, which is found on all Windows computers. Both variations of the File Explorer attack involve the attacker sending a malicious link to the targeted user via email, social media, or other channels. Varonis explained, 'Once the victim clicks the link, the attacker can obtain the hash and then try to crack the user’s password offline. Once the hash has been cracked and the password obtained, an attacker can use it to log on to the organization as the user. With this payload, the explorer.exe will try to query for files with the .search-ms extension.'