Since its inception, NTLM authentication protocol has been infamous for its low resiliency against attackers that seek to compromise it for malicious access. While NTLM ceased to be the default in Active Directory environments long ago and many organizations now strive to restrict usage or even ban it altogether, it’s still supported and prevalent.
In this blog post, we’ll recap on NTLM security risks and look at how a leading manufacturer prevented nation-state hackers from leveraging it for lateral movement with a Silverfort access policy.
Table Of Contents
NTLM is an authentication protocol that replaces the sending of users’ actual passwords over the wire with an encrypted challenge/response exchange between the client and the destination server. The challenge is generated from data obtained during the logon process, including the domain name, username and a one-way hash of the user password. Once the client establishes a network connection to the server, the server sends an encrypted challenge and grants or denies access based on its response.
NTLM Built-In Weaknesses
NTLM is subject to certain weaknesses that make it easier for threat actors to compromise it:
- Weak encryption: The lack of salting makes the hash password equivalent, so if you can grab the hash value from the server, you’ll be able to authenticate without knowing the actual password. This means an attacker who can retrieve a hash – there are various ways to dump it from the machine’s memory – can then easily access a target server and impersonate the actual user.
- Lack of server identity validation: While the server validates the identity of the client, there is no corresponding validation of the server’s identity, which opens up the possibility of a Man-In-The-Middle (MITM) attack.
Lack of Protection Against Compromise Scenarios
In addition to these weaknesses, NTLM, like other protocols in the Active Directory environment, doesn’t support MFA or any other security measures that can detect and prevent malicious authentication. So, if a threat actor does attempt to leverage the weaknesses we’ve described, the chances of blocking the attack are extremely low.
The Silverfort Unified Identity Protection platform monitors and protects all authentications within an organization’s environment. Silverfort is the first and only solution that can enforce MFA and conditional access policies on MFA authentications. Using Silverfort, identity and security teams can monitor and govern NTLM authentications and gain the flexibility to decide, based on operational considerations, whether to protect them with adaptive policies or ban the use of NTLM altogether.
In April 2022, a leading manufacturer and one of Silverfort’s customers was attacked by nation-state actors. The attackers’ initial target was the factory of another company, and their first step was to compromise its Wi-Fi network. By doing this, they also gained access to the laptops of several of the manufacturer’s employees who were visiting the factory at the time. The attackers realized these laptops belonged to a different company and pivoted their attack, attempting to use the compromised laptops as a beachhead into the manufacturer’s internal network. In the course of these attempts the attackers compromised one of the employees’ credentials and tried to log into servers within the manufacturer’s network over NTLM.
Before the attack, the company had configured a Silverfort policy to prevent any NTLM logins from workstations to servers in its domain environment. This access policy successfully prevented the attackers from using the credentials they had compromised to move laterally within the manufacturer’s environment, ultimately blocking the attack altogether.
To learn more about this attempted attack and Silverfort’s proactive threat detection and prevention, download this customer success case study here.