#NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073 #vulnerability
A Look in the Mirror - The Reflective #Kerberos Relay Attack
https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
#ntlm
Майский «В тренде VM»: уязвимости в Microsoft Windows и фреймворке Erlang/OTP
Хабр, привет! На связи Александр Леонов, ведущий эксперт PT Expert Security Center и дежурный по самым опасным уязвимостям месяца. Мы с командой аналитиков Positive Technologies каждый месяц исследуем информацию об уязвимостях из баз и бюллетеней безопасности вендоров, социальных сетей, блогов, телеграм-каналов, баз эксплойтов, публичных репозиториев кода и выявляем во всем этом многообразии сведений трендовые уязвимости. Это такие уязвимости, которые либо уже эксплуатируются вживую, либо будут эксплуатироваться в ближайшее время. С прошлого дайджеста мы добавили еще 4 трендовых уязвимости.
https://habr.com/ru/companies/pt/articles/909802/
#трендовые_уязвимости #microsoft #windows #erlang #ssh #cve #cvss #малварь #эксплойты #ntlm
🚨 Legacy Windows Servers are exposed to a critical 0-click NTLM authentication bypass vulnerability via Telnet! 🛑 Are your systems at risk? Find out how this deadly flaw could compromise your security. #WindowsServer #CyberSecurity #Telnet #NTLM #TechRisk
https://pupuweb.com/legacy-windows-server-risk-critical-0-click-ntlm-authentication-bypass-telnet/
Attacken auf Microsofts #NTLM-Authentifizierung in freier Wildbahn | Security https://www.heise.de/news/Angriffe-auf-Microsoft-NTLM-Authentifizierung-beobachtet-10357572.html #Windows :windows: #Microsoft #Patchday #Exploit #CyberCrime
La #vulnerabilidad CVE-2025-24054 se encuentra bajo ataque activo, permitiendo el robo de credenciales #NTLM a través de la descarga de archivos
https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/cve-2025-24054-esta-bajo-ataque-activo-permite-el-robo-de-credenciales-ntlm-al-descargar-archivos/
CVE-2025-24054, NTLM Exploit in the Wild
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
Windows – CVE-2025-24054 : cet exploit NTLM est utilisé pour cibler entreprises et gouvernements https://www.it-connect.fr/windows-cve-2025-24054-cet-exploit-ntlm-est-utilise-pour-cibler-entreprises-et-gouvernements/ #ActuCybersécurité #Cybersécurité #Phishing #Windows #NTLM
MS: This is no big deal
Hackers, 8 days later: Well, how about now?
#cybersecurity #ntlm #hashing #microsoft #cve #microsoft
https://www.theregister.com/2025/04/21/microsoft_apple_patch/
Crazy example of a real NTLM exploit in action: a PDF, a single click, and boom—credentials compromised.
This is CVE-2025-24054 in the wild,
Stay sharp. The bad actors sure are.
#CyberSecurity #Infosec #NTLM #ThreatIntel #RedTeam #CVE202524054
Heads up, security folks!
There’s a fresh CVE out in the wild—CVE-2025-24054—and it’s not messing around.
This one abuses Windows .library-ms files to sneakily leak your NTLMv2 hashes. Just previewing a malicious file could trigger it—no clicks needed. Yep, that easy for attackers to get their foot in the door.
The kicker? It’s already being exploited in the wild, just days after Microsoft’s patch dropped in March. First targets were spotted in Poland and Romania, but we all know these things don’t stay local for long.
What to do:
• Patch now (if you haven’t already).
• Block suspicious SMB traffic.
• Rethink NTLM—disable it where you can.
Full breakdown from Check Point here:
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
#CyberSecurity #Infosec #Windows #NTLM #CVE202524054 #BlueTeam #PatchNow
⚠️ CVE-2025-24054 is now under active attack — and it only takes a single click to leak NTLM hashes from a Windows system.
CISA has added this medium-severity Windows vulnerability to its Known Exploited Vulnerabilities catalog after confirming exploitation in the wild. The flaw enables attackers to harvest NTLM credentials through specially crafted .library-ms files.
Here’s how it works:
- A user receives a malicious file — even a single click (no execution needed) can trigger NTLM hash leakage
- Attackers send these files via phishing emails, often packed in ZIP archives or delivered directly
- Opening the archive or previewing the file initiates an SMB request, leaking NTLMv2-SSP hashes
- These hashes can then be used for pass-the-hash or lateral movement attacks inside the network
Check Point reports that the vulnerability has been exploited in at least 10 campaigns so far, targeting government and private organizations in Poland, Romania, Ukraine, and Colombia.
What makes this threat more dangerous:
- NTLM is deprecated but still present in many environments
- Minimal user interaction is required — just download and extract
- It bypasses common detection tools by triggering quietly in Windows Explorer
- It's a variant of a previously exploited flaw (CVE-2024-43451)
Microsoft patched the flaw in March, but exploitation began almost immediately. Agencies under the FCEB have until May 8 to patch — but every organization should act sooner.
At @Efani we view this as another reminder that legacy protocols like NTLM are low-hanging fruit for attackers. Even medium-severity flaws can become major risks when they require near-zero user interaction.
Patch. Audit. Replace legacy auth where possible.
#CyberSecurity #NTLM #WindowsVulnerability #CVE202524054 #CredentialSecurity #EfaniSecure
CVE-2025-24071
Poc NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File
Hey Cyber Security Pros! 👋
Ready to dive into the latest security updates and breaches that should be on your radar? We've got you covered.
🗞️ https://opalsec.io/daily-news-update-wednesday-march-26-2025-australia-melbourne/
At a high level, here are the main stories:
- EncryptHub's Zero-Day Exploits: Trend Micro links EncryptHub (a.k.a. Water Gamayun) to attacks leveraging a Microsoft Management Console (MMC) zero-day vulnerability (CVE-2025-26633). Discover how they're bypassing Windows protections and deploying various payloads.
- Windows NTLM Hash Leak Zero-Day: A new zero-day flaw allows remote attackers to steal NTLM credentials. Learn how this vulnerability affects all Windows versions and how 0Patch is providing unofficial fixes. Don't forget about those older, unpatched vulnerabilities too!
- HaveIBeenPwned Gets Phished: Even security experts aren't immune! Troy Hunt shares his experience of a sophisticated Mailchimp phishing attack. Lessons learned on OTP security and the importance of monitoring password manager behavior.
- Oracle Breach Controversy: Customers are confirming the legitimacy of leaked data despite Oracle Cloud's denial. Could this lead to supply chain and ransomware attacks? Ensure you're rotating those SSO and LDAP credentials and enforcing strong MFA!
- Astral Foods Cyberattack: South Africa's largest chicken producer faced a $1 million loss due to a recent cyberattack.
- Android Malware Evolution: New Android malware is using .NET MAUI to evade detection. Learn how it's disguising itself and targeting users in China and India.
- CS2 Phishing Attacks: Browser-in-the-Browser attacks are targeting Counter-Strike 2 players' Steam accounts.
- VMware Tools Vulnerability: Broadcom warns of an authentication bypass vulnerability in VMware Tools for Windows. Update those systems ASAP!
- CrushFTP Unauthenticated Access Flaw: CrushFTP warns users to patch an unauthenticated HTTP(S) port access vulnerability.
- Kubernetes IngressNightmare: Wiz researchers uncovered critical vulnerabilities in Ingress-Nginx Controller that could lead to complete cluster takeovers.
- Trump Officials' Signal SNAFU: High-profile officials accidentally shared classified Yemen airstrike plans in a Signal group with a journalist.
- FCC Investigates Huawei: The FCC is scrutinizing Chinese manufacturers for circumventing US regulations.
- Privacy-Boosting Tech: A new report suggests governments should prioritize privacy-enhancing technologies to prevent breaches.
Check out the full blog post 👉 https://opalsec.io/daily-news-update-wednesday-march-26-2025-australia-melbourne/
#cybersecurity #infosec #securitybreach #zeroday #phishing #malware #cloudsecurity #vulnerabilitymanagement #kubernetes #dataprotection #privacy #threatintel #ransomware #NTLM #EncryptHub #Windows #Android #VMware #CrushFTP #Kubernetes #HaveIBeenPwned #Oracle #Signal #CounterStrike #cyberattack #cybercrime
Understanding and Mitigating the CVE-2025-24071 Vulnerability in Windows
#cve202524071
#windowsvulnerability
#ntlm
#cybersecurity
#patchmanagement
Critical Windows File Explorer vulnerability exposes NTLM hashes, enabling network attacks. #WindowsSecurity #Cybersecurity #NTLM
More details: https://nsfocusglobal.com/windows-file-explorer-spoofing-vulnerability-cve-2025-24071/ - https://www.flagthis.com/news/11530
I wrote a quick #blogpost on #ntlm authentication with #sqlmap using #burpsuite proxy.
https://bbence.me/blog/2025-03-09_ntlm_auth/
I did this as a workaround, since the `python-ntlm` package that SQLMap wants still uses Python 2's syntax for some reason and SQLMap does not like that.
While I am at it anyway; #Phishing meets #SMB: Exploiting network trust to capture #NTLM hashes (#pentesting fun)
One effective phishing method leverages SMB connections to capture #NetNTLM hashes for offline #cracking, providing attackers with credentials for the next phase (for example social engineering or other tech attacks). Oh; BIT B.V. (bit.nl) did send my a set of abuse mails, … sorry 😆 … but very nice and thx 🙏🏼, anyway;
Exploit Path: Initial Phishing Vector: The attack starts with a phishing email or download website or something something, containing a payload (e.g., a malicious document or shortcut file, whatever, choose your poison).
The payload initiates an SMB request to the attacker-controlled server (`\\<C2IP>\share`), tricking the victim’s system into authenticating with it. Modern browsers like edge won’t fly; you need to get a bit more creative to execute this and no it’s not a hyperlink. Think Java. Or macro (although; meh).
Then we have SMB Request Redirection: Tools like Responder on the attacker’s C2 server capture NetNTLMv2 hashes during these authentication attempts. This works over IPv4 and IPv6, with IPv6 often prioritized in networks and less monitored. Hence #mitm6. But that’s another story.
Captured hashes are cracked offline using tools like #Hashcat, potentially giving credentials for further attacks. It’s also an excuse for my new RTX 5090 card. 😉
Observations from recent penetration tests where I executed this attack;
-Firewall Rules: not excisting … at all. 🥹
Many environments have outbound 'any-any' rules on firewalls, even on critical nets like Citrix farms. This unrestricted outbound traffic allows SMB authentication requests to reach attacker-controlled servers on the internet. And there is something with remote workers and open internet access lately…
-#Azure and #2FA Gaps, here we go again (see https://lnkd.in/g2ctMEDG); 2FA exclusions are another common issue:
- Trusted locations (e.g., `192.168.x.x` or specific IP ranges) configured to bypass 2FA/MFA.. intended to improve usability, such exclusions can be exploited once an attacker gains access to these "trusted" locations; simply put a VM inside a 192.168 range and chances are…. Good.
These misconfigurations reduce the effectiveness of otherwise robust security measures like MFA and firewall segmentation, giving attackers unnecessary opportunities.
The Takeaway: Attackers thrive on overlooked gaps in configuration. Whether it's outbound "any-any" firewall rules or MFA bypasses for trusted locations, these lapses provide unnecessary pathways for compromise. By combining phishing, SMB exploitation, and tools like Responder, we can target foundational weaknesses in even hybrid environments. I’ve seen soc’s only respond after mission target; because most are monitoring just on the endpoint (EDR/XDR), poorly.
#CyberSecurity #Phishing #SMB #NTLM #MFA #FirewallSecurity #infosec
The meme is absolutely intended as shitposting. Sorry 🤣
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst