Attack from the ’90s resurfaces more deadly than before. A flaw in how Windows handles old authentication procedures for shared network resources can leak a user’s Microsoft account username and password, or VPN credentials if the user is using a VPN to surf the Internet.
The exploit relies on an attacker embedding a link to an SMB resource (network share) inside a Web page or an email that gets viewed via Outlook.
The attacker can disguise the link to his network share inside image tags, but instead of the proper image link, he can place the link to a network share hosted on his own network.
When a user accessed the link via Internet Explorer, Edge, or Outlook, because of the way Windows handles authentication for network shares, the user’s computer will automatically send the user’s login credentials to authenticate on the crook’s domain, even via the Internet.
While the Microsoft account password is not leaked in cleartext, but as an NTLM hash, researchers have proved a long time ago that these hashes can be easily cracked.
This isn’t even something new, since Microsoft and the researcher community has known about this issue since 1997, and often discussed it at security conferences such as Black Hat.
While this wasn’t a problem in the past since Windows accounts were using machine-localized usernames and passwords, beginning with Windows 8 and onward Microsoft started to allow users to authenticate on their computers with Microsoft accounts. In Windows 10, this became the de-facto standard authentication method, meaning more users started using it.
In recent years, Microsoft started linking all its online realties with the user’s same Microsoft account. According to ValdikSS from ProstoVPN, this old attack now has new claws, allowing a crook to get his hands on credentials for Microsoft accounts that will indirectly also grant him access to all sorts of services like Skype, Xbox, OneDrive, Office 360, MSN, Bing, Azure and more.
Even worse, if the user is utilizing a VPN connection to load the corrupt SMB resource, than his VPN credentials get leaked instead, allowing the crook to access the victim’s VPN account.
“Microsoft successfully fixed some issues, some other issues were half-fixed, and another ones are not fixed at all and could be exploited up to this day,” ValdikSS explains. “The problem of transmitting account credentials to the SMB server over the internet is one of the not fixed ones.”
ValdikSS says the easiest way to protect oneself against such attacks is to block all outgoing SMB connections (port 445) via the Windows firewall, except for local networks.
But the best defense against this attack is not to use your Microsoft account to log into your Windows PC.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.