6 July 2022

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack


Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently fixed previously disclosed ‘ShadowCoerce’ vulnerability on June 14, 2022, as part of the monthly ‘Patch Tuesday’. The flaw allowed threat actors to launch NTLM relay attacks on Windows servers by abusing Microsoft's File Server Remote VSS Protocol (MS-FSRVP).

‘ShadowCoerce’ was mitigated along with CVE-2022-30154, which affected the same component. CVE-2022-30154 is a privilege escalation vulnerability in Microsoft File Server Shadow Copy Agent Service (RVSS).

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.

Using ‘ShadowCoerce’, an attacker could force the Active Directory to authenticate a server under attacker’s control. In turn, this could lead to a complete takeover of the domain. This type of attack is called ‘NTLM relay attack’.

The ‘ShadowCoerce’ attack works similar to previously uncovered ‘PetitPotam’ and ‘PrinterBug’ attacks. These attacks abuse Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) and Print System Remote Protocol (MS-RPRN), respectively.

In December 2021, security researcher Lionel Gilles published a proof-of-concept exploit for ‘ShadowCoerce’. As in case with other MS-RPC abuses, this attack works by using a specific method relying on remote UNC paths, namely on IsPathSupported and IsPathShadowCopied.

Successful exploitation of this bug is possible only on systems with the File Server VSS Agent Service enabled. Furthermore, NTLM relay attacks require a network to already be compromised by an attacker.

Back to the list

Latest Posts

Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022
Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser.
15 August 2022