On November 12, 2024, Microsoft disclosed that two significant security vulnerabilities affecting Windows NT LAN Manager (NTLM) and Task Scheduler have been actively exploited in the wild. These vulnerabilities were part of the November Patch Tuesday update, which addressed a total of 90 security flaws across Microsoft products.

Among the vulnerabilities patched, four were classified as Critical, 85 as Important, and one as Moderate. Notably, fifty-two of the vulnerabilities addressed in this update presented remote code execution risks, which underscores the severity of these security flaws. The announcement emphasizes the necessity for organizations to prioritize timely updates to their systems.

The vulnerabilities highlighted as actively exploited include CVE-2024-43451 and CVE-2024-49039. The former pertains to an NTLM hash disclosure vulnerability, with a CVSS score of 6.5. This flaw permits an attacker to disclose a user’s NTLMv2 hash, potentially granting them the ability to authenticate as the affected user. This vulnerability, discovered by ClearSky researcher Israel Yeshurun, marks the third such flaw reported this year that allows NTLMv2 hash exposure.

The second vulnerability, CVE-2024-49039, scores significantly higher on the CVSS scale at 8.8. It involves an elevation of privilege vulnerability in Microsoft’s Task Scheduler, permitting authenticated attackers to execute restricted Remote Procedure Call (RPC) functions. Successful exploitation would require the attacker to execute a specially crafted application on the target machine to elevate their privileges. This situation raises concerns regarding potential lateral movement within a network once access is gained.

As of now, there is scant information regarding the specifics of these vulnerabilities in live environments or the extent of their exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the urgency of these vulnerabilities by listing them in the Known Exploited Vulnerabilities (KEV) catalog. This move is indicative of the heightened priority given to mitigating the risks presented by these flaws.

These vulnerabilities may be indicative of broader trends in adversarial tactics, specifically within the MITRE ATT&CK framework. Likely tactics employed in these attacks include initial access through credential dumping and privilege escalation techniques, which allow attackers to gain higher-level access to systems. As actors continue to target NTLM hashes, it underscores the criticality of robust network security protocols, particularly regarding user authentication schemes.

In addition to these vulnerabilities, Microsoft’s November update also addressed critical issues such as a remote code execution flaw in .NET and a cryptographic protocol issue in Windows Kerberos. These patches further illustrate the complexity and sophistication of current cybersecurity threats, highlighting the need for businesses to remain vigilant and proactive in securing their systems against evolving risks.

The cybersecurity landscape continues to evolve, necessitating heightened awareness and rapid responses from organizations to protect against such vulnerabilities. As exploits manifest in real-world scenarios, the business sector must adapt and upgrade their defenses continuously to mitigate the impacts of breaches. The development of these vulnerabilities and their associated risks serves as a stark reminder of the ongoing challenges faced by cybersecurity professionals today.