A newly discovered critical zero-day vulnerability in Microsoft Windows is putting millions of users at risk. This flaw affects Windows versions from 7 to 11 (24H2) and allows attackers to steal NTLM credentials. The vulnerability can be triggered merely by viewing a malicious file in Windows Explorer, without actually opening it. This opens the door for unauthorized access, compromising sensitive systems and networks.
The Scope of the Vulnerability
This critical NTLM zero-day is the third significant security flaw discovered in recent months, adding to the list of serious vulnerabilities targeting Windows operating systems. It affects both the Personal and Server editions, and it can be exploited by attackers to gain access to NTLM credentials. This kind of exploit can lead to privilege escalation, lateral movement within networks, and complete system compromise, putting sensitive data and critical infrastructure in jeopardy.
How the Attack Works
The vulnerability allows attackers to steal login credentials by simply viewing a malicious file in Windows Explorer. The flaw specifically targets NTLM (NT LAN Manager), which is responsible for authenticating users and managing credentials in Windows environments. By exploiting this weakness, attackers can gain unauthorized access to systems, perform lateral movement in networks, and escalate their privileges, putting the entire system at risk without needing to open any files.
Also Read: Govt Announced to Give Salaries and Pensions Early
Immediate Mitigation Measures
Although Microsoft has yet to release an official patch for this vulnerability, National CERT has outlined several important steps to mitigate the risk. The first recommendation is to disable NTLM authentication entirely or enforce Group Policy settings to allow only NTLMv2. Additionally, restricting NTLM traffic to trusted servers only can prevent malicious connections from spreading. These steps will help to significantly reduce the potential impact of the vulnerability.
Blocking Outbound NTLM Connections
Another crucial measure recommended by National CERT is to block outbound NTLM connections to untrusted servers and external networks. Configuring firewalls to prevent these connections can stop attackers from exploiting the vulnerability and gaining unauthorized access to other systems. This step will help minimize the risk of an attacker gaining a foothold in the network and expanding their control over more devices.
System Hardening Recommendations
To further protect against the NTLM zero-day, National CERT advises system hardening practices. These include enabling Windows Defender Credential Guard, which helps prevent unauthorized access to credentials, and configuring secure NTLM settings. Additionally, leveraging Microsoft Defender’s exploit prevention tools can block malicious activities, stopping attacks before they can escalate. These measures strengthen system defenses and protect sensitive information.
Compartmentalizing the Network
National CERT also recommends compartmentalizing the network by separating core systems from less secure infrastructure. This will limit the spread of attacks within the network and minimize the damage if a breach occurs. Using Security Information and Event Management (SIEM) systems to analyze NTLM traffic is another effective measure. These tools can help detect abnormal behavior and respond quickly to potential threats.
Limiting File Access and User Awareness
File access should also be strictly controlled. Limiting file access privileges and turning off preview features in Windows Explorer can help prevent accidental exposure to malicious files. National CERT also emphasizes the importance of raising user awareness regarding file risks. Users should be educated on the dangers of working with files received from untrusted sources, such as email attachments or USB flash drives.
Enforcing Strong Password Policies
In addition to improving file access controls, enforcing strict password policies can further enhance security. National CERT suggests promoting strong, unique passwords for all user accounts and implementing multi-factor authentication (MFA) where possible. This adds an additional layer of protection against unauthorized access, particularly in the event that credentials are compromised through this vulnerability.
Conclusion
National CERT stresses that without taking immediate action to address this vulnerability, organizations could face severe consequences, including data theft, critical system compromises, and reputational damage. The recommended steps to disable NTLM, block outbound connections, harden systems, and raise user awareness must be implemented promptly. Until Microsoft releases a patch, these measures are the best defense against this critical NTLM zero-day vulnerability.
