Comment on Russian military hackers targeting NATO
December 2023 by Kennet Harpsoe, Senior Cyber Analyst at Logpoint
}News broke today that Russian military hackers are targeting NATO fast reaction corps (bleepingcomputer.com).
In response to the story,the comment below as sourced from Kennet Harpsoe, Senior Cyber Analyst at Logpoint.}
“Given the overall political situation the described attack should not come as a surprise for anyone.
The described attack is essentially an NTLM replay attack. NTLM is ancient and depreciated. The modern replacement is Kerberos.
Kerberos is standard even in Windows networks, but NTLM is used as a fall back and is thus still widely used despites its numerous and well-known security flaws.
If you can, disable NTLM in your AD, and if you cannot, make sure to monitor the NTLM traffic on your network. Are new users all of a sudden using NTLM authentication all the time? NTLM authentication requests should normally not be leaving your network. If they do, it should be thoroughly investigated. Track all NTLM replay attempts in your network from your AD log.
Enforce Signing (SMB/LDAP) and Extended Protection for Authentication (EPA) for all relevant servers, like domain controllers and email servers, to defeat most replay attacks.
Finally, one wonders why it is still not standard to encrypt emails at rest, with keys private to the recipients. PGP has been around for a long time. It’s not much fun stealing emails if you can’t read them.”