Azure Advanced Threat Protection Now Provides Alerts on NTLM Relay Issues

Microsoft on Monday touted its Azure Advanced Threat Protection (ATP) service as being capable of alerting organizations when they are subject to NT LAN Manager (NTLM) relay attacks.

The issue recently arose in the context of Exchange Server use. Most versions of the server could be subject to attacks that lead to elevation of privilege by an attacker, as highlighted by recent findings by researchers.

Azure ATP Detection
In response to those findings, the Microsoft Azure ATP team added detections for the use of NTLM version 1, as well as NTLM version 2 when it's unsigned, which are both deemed insecure due to potential man-in-the-middle methods. NTLM versions 1 and 2 are old "legacy" protocols, but they still may be used by organizations.

"Although NTLMv1 and unsigned NTLMv2 should no longer be in use, our most recent research found that NTLMv1 is still commonly used in about 30-40% of the environments," explained Tal Maor of the Microsoft Azure ATP team in Microsoft's announcement.

The protocols might be found in environments using Windows Vista or Windows Server 2008 and earlier Windows versions, he noted. They also can be present in newer Windows systems that have backward compatibility support for NTLM, as well as "processes that implement the authentication mechanism themselves (such as Python modules like 'Impacket')," Maor added. 

The insecurity of these protocols was highlighted in recent months by researchers, who demonstrated new proof-of-concept attacks that led to user impersonation capabilities (up to domain administrator privileges) in environments with Exchange Server.

NTLM version 2, when used with signing, has protections against NTLM relay attack methods. However, the version of NTLM that gets "used in each domain depends on the source computer that initiates the authentication," Maor said. Consequently, it's possible to be running newer versions of Active Directory and Windows Server and still be using NTLM version 1 "without realizing it," he added.  

The decades-old NTLM protocol is used to provide a challenge/response scenario to assure secure network communications. Microsoft still supports NTLM for Windows systems, but Kerberos has long been the preferred security protocol to use instead. Exchange Server becomes problematic in this regard because it has permissions that are too high by default with respect to Active Directory. Researcher Dirk-jan Mollema described getting Exchange Server to authenticate to an attacker "using NTLM over HTTP" and then using an NTLM relay attack to escalate privileges "from any user with a mailbox to Domain Admin."

Microsoft, in its Security Advisory CVE-2018-8581, has promised to deliver a future cumulative update for the Exchange Server elevation-of-privilege vulnerabilities, as highlighted by US-CERT. Microsoft also issued Security Advisory ADV190007 last week, which described a similar elevation-of-privilege vulnerability.

Other Detection Tools
Given those two advisories, Microsoft Azure ATP users likely will be happy to get the new NTLM warnings. However, organizations wanting that capability will need to have a subscription to the Microsoft 365 E5 licensing bundle, Microsoft's top-of-the-line offering.

San Francisco-based Preempt Security offers a free Preempt Inspector tool. It can be used to see if an organization is vulnerable to NTLM relay attacks.

In addition, StealthBits Technologies, a Hawthorne, N.J.-based security software company, recently described its solutions that can help with aspects of the NTLM vulnerability. Darin Pendergraft, vice president of product marketing at StealthBits, noted in a blog post that StealthBits can't address the Exchange Server vulnerability directly, but it does have solutions to ward off the ensuing elevation-of-privilege and impersonation problems. The company offers its StealthAudit product to check the default permissions of Exchange environments in using Active Directory. It has a StealthIntercept product that "can monitor and block DC Sync attacks, stopping that attack vector in its tracks," he indicated.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube