New preview detection: Suspected NTLM authentication tampering

%3CLINGO-SUB%20id%3D%22lingo-sub-759348%22%20slang%3D%22en-US%22%3ENew%20preview%20detection%3A%20Suspected%20NTLM%20authentication%20tampering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-759348%22%20slang%3D%22en-US%22%3E%3CP%3EA%20few%20weeks%20ago%2C%20Microsoft%20published%20Security%20Advisory%26nbsp%3B%3CU%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fportal.msrc.microsoft.com%252Fen-US%252Fsecurity-guidance%252Fadvisory%252FCVE-2019-1040%26amp%3Bdata%3D02%257C01%257CTali.Ash%2540microsoft.com%257C85f2145631b3428a051108d7055be3f5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636983764545539683%26amp%3Bsdata%3D%252F92XUWGENNRKsPCgchl2WylAY1iM1XyN99rIwvGAUCo%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2019-1040%3C%2FA%3E%3C%2FU%3E%2C%20and%20announced%26nbsp%3Bdiscovery%20of%20a%20new%26nbsp%3Btampering%20vulnerability%26nbsp%3Bin%20Microsoft%20Windows.%20Specifically%2C%26nbsp%3Bwhen%26nbsp%3B%E2%80%9Cman-in-the-middle%E2%80%9D%20attacks%20are%26nbsp%3Bable%20to%20successfully%20bypass%20NTLM%20MIC%20(Message%20Integrity%20Check)%20protection.%3C%2FP%3E%0A%3CP%3EAttackers%20that%20successfully%20exploit%20this%20vulnerability%20have%20the%20ability%20to%20downgrade%20NTLM%20security%20features%20and%20successfully%20create%20authenticated%20session%20on%20behalf%20of%20other%20account.%20Unpatched%20Windows%20Servers%20are%20at%20risk%20from%20this%20vulnerability.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStarting%20from%20Version%202.86%2C%20Azure%20ATP%20detects%20NTLM%20authentication%20packets%20suspected%20of%20exploiting%26nbsp%3BCVE-2019-1040%26nbsp%3Bagainst%20a%20domain%20controller%20in%20the%20network%2C%20and%20issues%20a%20security%20alert%20like%20the%20one%20shown%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20visit%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fatasaguide-NTLMCVEexploit%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fatasaguide-NTLMCVEexploit%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStay%20tuned%20for%20additional%20alerts%20and%20updates.%20As%20always%2C%20your%20questions%20and%20feedback%20are%26nbsp%3Bwelcome!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123555i89C8360208063E46%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22NTLM%20tampering.png%22%20title%3D%22NTLM%20tampering.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

A few weeks ago, Microsoft published Security Advisory CVE-2019-1040, and announced discovery of a new tampering vulnerability in Microsoft Windows. Specifically, when “man-in-the-middle” attacks are able to successfully bypass NTLM MIC (Message Integrity Check) protection.

Attackers that successfully exploit this vulnerability have the ability to downgrade NTLM security features and successfully create authenticated session on behalf of other account. Unpatched Windows Servers are at risk from this vulnerability.

 

Starting from Version 2.86, Azure ATP detects NTLM authentication packets suspected of exploiting CVE-2019-1040 against a domain controller in the network, and issues a security alert like the one shown below.

 

For more information visit https://aka.ms/atasaguide-NTLMCVEexploit

 

Stay tuned for additional alerts and updates. As always, your questions and feedback are welcome!

 

NTLM tampering.png

0 Replies