Until it is determined whether this attack can be relayed via WebDAV (i.e., via HTTP through your firewall even if it's blocking SMB), I would also disable the "Web Client" service on your Exchange server. /cc @wdormannhttps://twitter.com/certcc/status/1089570070693642240 …
-
-
This Tweet is unavailable.
-
IMO, the problem is because Exchange 2013 and later don't sign/seal the NTLM authentication request from the Exchange server. This allows an attacker to relay the request without needing to know the credentials of the Exchange server account.
- 3 more replies
-
-
-
Exactly. Attacker in internal network with direct SMB connectivity to DC, while Exchange server is behind a firewall blocking outbound SMB (but not HTTP).
-
You made my heart RCE for a minute there ;-)
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.