InfoSecBulletin Cybersecurity for mankind
Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving targets into opening malicious files in Windows Explorer.
NTLM has been widely exploited in NTLM relay attacks (where threat actors force vulnerable network devices to authenticate to attacker-controlled servers) and pass-the-hash attacks (where they exploit vulnerabilities to steal NTLM hashes, which are hashed passwords).
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code
Attackers use stolen hashes to impersonate compromised users, accessing sensitive data and moving laterally within the network. Last year, Microsoft announced plans to phase out the NTLM authentication protocol in future Windows 11 versions.
ACROS Security researchers found a new vulnerability that discloses SCF File NTLM hashes while working on patches for another issue. This zero-day, which has not yet received a CVE-ID, impacts all Windows versions from Windows 7 to Windows 11, as well as Server 2008 R2 to Server 2025.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” said ACROS Security CEO Mitja Kolsek on Tuesday.
“Note that while these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim’s network or having an external target like a public-facing Exchange server to relay the stolen credentials to), they have been found to be used in actual attacks.”
Micropatches available for all 0patch users:
ACROS Security offers free, unofficial micropatches for this vulnerability to all Windows users until Microsoft provides official fixes.
“We reported this issue to Microsoft, and – as usual – issued micropatches for it that will remain free until Microsoft has provided an official fix,” Kolsek added. “We are withholding details on this vulnerability until Microsoft’s fix becomes available to minimize the risk of malicious exploitation.”
To install the micropatch on your Windows PC, create an account and install the 0patch agent. The agent will automatically apply the micropatch without needing a system restart, unless a custom patching policy prevents it.
A Microsoft spokesperson told, “We’re aware of this report and will take action as needed to help keep customers protected.”
Source: 0patch, BleepingComputer
