Microsoft has patched a previously known critical vulnerability called ShadowCoerce, which enables threat actors to target Windows servers in NTLM relay attacks.
Malicious entities can use the NTLM relay attack technique to force outdated servers to authenticate against servers that the threat actors control. This method could lead to a complete takeover of the victim’s domain.
Additionally, the MS-FSRVP protocol is utilised to develop file share shadow copies on remote computers. These files are also prone to NTLM relay attacks, which enables threat actors to coerce a domain controller into authenticating against a hostile NTLM relay they control.
The malicious server forwards the authentication request to the AD CS of a domain to acquire a Kerberos TGT. Hence, the threat actors can utilise TGT to spoof any network device, such as the Windows domain controller.
The threat actors will acquire elevated privileges after spoofing a domain controller. Once they obtain these admin-level privileges, they can use them to take control of the Windows domain.
Microsoft has not revealed their mitigation plans for ShadowCoerce but somehow made its way to the public.
A Microsoft representative explained that there was no public announcement they organised, but the CVE-2022-30154 mitigated ShadowCoerce’s actions. Moreover, the tech company revealed that the malware was secretly patched while researching it with the 0Patch group.
The firm also fixed a zero-day vulnerability called Windows LSA spoofing. The flaw was discovered last May and tracked it as CVE-2022-26925. Fortunately, the team has already made a patch regarding the flaw since other experts later confirmed that it is a variant of PetitPotam.
According to several cybersecurity researchers, the best way to mitigate such attacks is to follow Microsoft’s published threat advisory on preventing the PetitPotam NTLM relay attacks since it contains the best methods to defend against them.
The company suggested disabling web services on Active Directory Certificate Services (AD CS) servers. In addition, users should also turn off NTLM on domain controllers and switch to Extended Protection for Authentication and signature features. By doing these mitigations tactics, users can safeguard their Windows credentials.
