Business leaders have bene notified of a new attack method, one that can be exploited by malicious actors to take complete control of a Windows domain. This is a proof-of-concept exploitation tool named PetitPotam.
Microsoft have stated that an unauthenticated hacker can take advantage of PetitPotam to use a targeted server to connect to their server and perform NTLM authentication.
In terms of the overall technical detail, PetitPotam functions by tapping into Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) in order to trick one Windows host into authenticating to another over LSARPC on TCP port 445. Dangerously, this gateway means that a malicious actor can do anything they want to within a Windows domain, including launching a cyberattack, such as ransomware.
In response to Microsoft’s recently disclosed PetitPotam vulnerability, security expert Anurag Kahol, CTO and cofounder of Bitglass, explains to Digital Journal what the core implications are for the business world.
Kahol places the recent incident in the context of some Microsoft stutters, noting: “PetitPotam follows two other critical Windows security flaws that were disclosed in the past month. With this particular vulnerability, attackers can obtain authentication certificates or password hashes and completely take over an organization’s network.”
The implications are serious, notes Kahol: “If exploited, the aftermath of such an attack can be highly disastrous for an enterprise, highlighting how proactive security measures are critical in these scenarios.”
The incident presents wider lessons for industry, Kahol suggests: “Enterprises must move away from using the same vendor for both their infrastructure and security needs, and instead implement third-party security solutions that can prevent attackers from operating without restrictions.”
As an example of a suitable proactive response, Kahol recommends: “With a secure access service edge (SASE), enterprises can extend consistent security to all enterprise resources and replace various fragmented solutions that must be managed and updated separately.”
He concludes by stating: “It’s time organizations break free from their single vendor infrastructure and leverage security solutions that deliver comprehensive threat protection.”