Attention IT Support Staff – Zero Day Attack – by Ron Benvenisti

IT support companies should be proactive about the following. If you are not an IT support person, you can read something else on the Scoop, but if you are a customer of an IT support company or have internal IT support, make certain that the following protections are in place to prevent a zero-day attack (one that you don’t see coming and has no prior remedy so it could’ve already happened and you wouldn’t necessarily know).

Windows NTLM security protocols, allow attackers to create a new domain administrator account and get control of the entire domain.

NT LAN Manager (NTLM) is an old authentication protocol used on networks that include systems running the Windows operating system and stand-alone systems it should be removed immediately. NTLM was replaced by Kerberos in Windows 2000 that adds greater security to systems on a network but NTLM is still supported by Microsoft and continues to be used widely by support companies and internally.

Find out if you or your support contractor is using NTLM immediately.

There are two serious vulnerabilities:

Unprotected Lightweight Directory Access Protocol (LDAP) from a NTLM relay, and
Remote Desktop Protocol (RDP) Restricted-Admin mode.

LDAP fails to adequately protect against NTLM relay attacks, even when it has built-in LDAP signing the defensive measure, which only protects from man-in-the-middle (MitM) attacks and not from credential forwarding.

Make sure your IT people understand this because an attacker with SYSTEM privileges on a target system can use incoming NTLM sessions and perform LDAP operations, like updating domain objects, on behalf of the NTLM user.

“To realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI) which allows downgrade of an authentication session to NTLM,” Yaron Zinar from Preempt said in a blog post, detailing the vulnerability. As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network.”

Enough said about this one.

The second NTLM vulnerability affects Remote Desktop Protocol Restricted Admin mode – this allows users to connect to a remote computer without giving their password.

RDP Restricted-Admin allows authentication systems to downgrade to NTLM. This means the attacks performed with NTLM, such as credential relaying and password cracking, could also be carried out against RDP Restricted-Admin. Getting hit from all sides is when combined with the LDAP relay vulnerability, an attacker could create a fake domain admin account whenever an admin connects with RDP Restricted-Admin and get control of the entire domain.

Microsoft acknowledged the NTLM LDAP vulnerability in May, assigning it CVE-2017-8563, but dismissed the RDP bug, claiming it is a “known issue” and recommending configuring a network to be safe from any NTLM relay. Do your cybersecurity homework.

“In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a domain controller. An attacker who successfully exploited this vulnerability could run processes in an elevated context,” Microsoft explained in its advisory.

“The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of channel binding information.”

Patch the vulnerable servers with NT LAN Manager enabled ASAP.

Turn NT LAN Manager off, it’s ancient and unreliable not mention full of holes. You should require that all incoming LDAP and SMB packets are digitally signed in order to prevent credential relay attacks.

Besides this NTLM relay flaw, Microsoft has released patches for 55 security vulnerabilities, which includes 19 critical, in several of its products, including Edge, Internet Explorer, Windows, Office and Office Services and Web Apps, .NET Framework, and Exchange Server.

Windows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild, let alone what may come today or tomorrow.

Be proactive. Protect yourself and your clients.

Enough said.

Ron Benvenisti
CyVision Technologies, Inc


This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at

Stay up to date via our news alerts, by sending 'follow LakewoodScoop' to the number '40404' or via Twitter handle @LakewoodScoop. Also find us on Instagram and Facebook.

Got a news tip? Email us at, text us 415-857-2667, or tweet us @LakewoodScoop.

Write a Comment

Please read comment rules before submitting your comment.

(required - will not be published)

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Answer the question below to prove you\'re human *