NTLM Hash Exploit Targets Poland and Romania Days After Patch
An NTLM hash disclosure spoofing vulnerability that leaks hashes with minimal user interaction has been observed being exploited in the wild
NTLM is a legacy authentication protocol whose weaknesses can enable credential theft, relay attacks, and unauthorized access to network resources.
Search across headline titles and summaries.
Background for this topic.
NTLM (NT LAN Manager) is a Microsoft challenge-response authentication protocol still supported by Windows. It lets a client authenticate without sending the password in plaintext, and may be used when Kerberos is unavailable or when legacy applications, workgroups, or older systems require it. NTLMv1 is obsolete and weak; NTLMv2 improves the challenge-response exchange but retains important design limitations.
NTLM matters because attackers who obtain an NT password hash may use pass-the-hash to authenticate without knowing the password. NTLM authentication can also be relayed to another service when that service lacks protections such as message signing or channel binding, potentially granting access with the victim’s credentials. Defenders should inventory and reduce NTLM use, prefer Kerberos where supported, protect credential material, and enable signing or equivalent relay-resistant protections on relevant protocols. Authentication logs can help identify unexpected NTLM use and legacy dependencies before attempting to disable it.
Weekly headline count for the current query.
An NTLM hash disclosure spoofing vulnerability that leaks hashes with minimal user interaction has been observed being exploited in the wild
Proofpoint warned the method could be used for data gathering and further malicious activities
Assuming the identity of a domain, threat actors could then execute arbitrary commands