On July 28, 2021, Microsoft released a security advisory regarding an attack known as “PetitPotam”. This attack is a type of NTLM Relay Attack that could force Windows domain controllers and servers to reveal password hashes, which could be easily cracked. Microsoft states your organization may be vulnerable to the attack if you use Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment and/or Certificate Enrollment Web Service.
Although an exploit for the attack has not been publicly used yet, there are several steps you can take to protect your environment from this and other NTLM Relay attacks. Microsoft recommends ensuring services that permit NTLM authentication make use of Extended Protection for Authentication (EPA) or SMB signing. If NTLM is not required on your domain controller, it should be disabled as described in this guide.
How BW Cyber Services Can Help
Part of BW’s Risk Assessment and Penetration Testing process is ensuring all devices in your organization are configured properly and have the latest security patches. We can advise you on the newest threats affecting members of the financial services industry and assist you with securing your environment against them. For more information on how BW Cyber Services can assist you, please contact us at email@example.com.