Kerberos Archives

Winsage

May 22, 2025

BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover

The dMSA account in Active Directory manages service accounts with enhanced security and automation. Key attributes include msDS-DelegatedMSAState, which indicates the migration status (unknown, in progress, or completed), and msDS-ManagedAccountPrecededByLink, which identifies the superseded account. The msDS-GroupMSAMembership attribute specifies authorized principals for authentication as the dMSA account. After migration, systems using the old service account receive a notification from the Domain Controller that the previous account is disabled, along with a KERB-SUPERSEDED-BY-USER field pointing to the new dMSA. The Key Distribution Center (KDC) within the Kerberos protocol validates user identities and grants access based on permissions, ensuring secure network resource access.

Winsage

May 7, 2025

Microsoft: April updates cause Windows Server auth issues

Microsoft has acknowledged that the April 2025 security updates are causing authentication challenges for certain Windows Server domain controllers, specifically affecting Windows Server versions 2016, 2019, 2022, and 2025. The issues arise after installing the April Windows monthly security update (KB5055523 or later), leading to complications in processing Kerberos logons or delegations that rely on certificate-based credentials. Affected authentication protocols include Kerberos PKINIT, S4U via RBKCD, and KCD. These issues are linked to security measures addressing the critical vulnerability CVE-2025-26647, which allows authenticated attackers to escalate privileges remotely. A temporary workaround involves modifying a registry value. Microsoft has previously addressed similar authentication issues in Windows 11, Windows Server 2025, and earlier versions.

Winsage

April 23, 2025

Microsoft fixes Windows Server 2025 blue screen, install issues

Microsoft has addressed issues affecting Windows Server 2025 for systems with more than 256 logical processors, which could lead to installation failures, slow start-up times, and blue screen errors. These problems have been resolved through updates since the KB5046617 cumulative update released in November. IT administrators are advised to install the latest security updates, which include essential fixes. A temporary workaround involves limiting the number of logical processors to 256 or fewer by adjusting settings in the UEFI Setup. Additionally, Microsoft warned of potential accessibility issues with Windows Server 2025 domain controllers post-restart and reported login difficulties with Windows Hello after the April 2025 updates. A bug causing authentication issues with Credential Guard has been fixed, and a new safeguard hold for Windows 11 24H2 has been introduced due to compatibility problems with the SenseShield Technology's sprotect.sys driver.

Winsage

April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.

Winsage

April 17, 2025

Windows NTLM hash leak flaw exploited in phishing attacks on governments

A vulnerability in Windows, identified as CVE-2025-24054, is being actively exploited in phishing campaigns targeting government and private sectors. Initially addressed in Microsoft's March 2025 Patch Tuesday, it was not considered actively exploited at that time. Researchers from Check Point reported increased exploitation activities shortly after the patches were released, particularly between March 20 and 25, 2025. Some attacks were linked to the Russian state-sponsored group APT28, but definitive attribution is lacking. The vulnerability allows attackers to capture NTLM hashes through phishing emails containing manipulated .library-ms files that trigger the flaw when interacted with. Check Point noted that subsequent attacks involved .library-ms files sent directly, requiring minimal user interaction to exploit. The malicious files also included additional components that exploit older vulnerabilities related to NTLM hash leaks. The attacker-controlled SMB servers were traced to specific IP addresses. Although rated as medium severity, the potential for authentication bypass and privilege escalation makes it a significant concern, prompting recommendations for organizations to install updates and disable NTLM authentication if not necessary.

Winsage

April 17, 2025

Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)

CVE-2025-24054 is a vulnerability that allows attackers to capture NTLMv2-SSP hashes from a victim's machine during authentication requests to an attacker-controlled SMB server. Active exploitation of this vulnerability has been observed since March 19, 2025, targeting government and private sectors in Poland and Romania. The attacks involve phishing emails that lead victims to download an archive file containing exploits designed to leak NTLMv2-SSP hashes. Microsoft has released patches for this vulnerability, but users on older, unsupported versions may need to consider micropatching.

Winsage

April 14, 2025

Microsoft: Windows Server 2025 restarts break connectivity on some DCs

Microsoft has warned IT administrators about a potential issue with Windows Server 2025 domain controllers (DCs) becoming inaccessible after a restart, due to defaulting to the standard firewall profile instead of domain-specific settings. This mismanagement can lead to DCs being unreachable on the domain network or improperly accessible through restricted ports and protocols. A workaround involves manually restarting the network adapter on affected servers after each reboot, and Microsoft recommends setting up a scheduled task for this. The company is working on a permanent solution for a future update. Additionally, Microsoft has alerted users to another issue with Windows Hello logins related to the KB5055523 April 2025 security update and has implemented a fix for authentication issues with Credential Guard and the Kerberos PKINIT pre-auth security protocol.

Winsage

April 9, 2025

Microsoft: April 2025 updates break Windows Hello on some PCs

Microsoft has announced that a subset of Windows users may have difficulties logging into their accounts via Windows Hello after installing the April 2025 security updates, specifically affecting Windows 11 24H2 and Windows Server 2025 with the KB5055523 update. The issue occurs on devices with Dynamic Root of Trust for Measurement (DRTM) or System Guard Secure Launch features enabled prior to the update. Users may see messages indicating problems with their PIN or facial recognition setup. Microsoft has provided workarounds for affected users, including re-enrollment in Windows Hello for both PIN and facial recognition. Additionally, Microsoft resolved another bug related to KB5055523 affecting Credential Guard and introduced a safeguard hold for Windows 11 24H2 systems using SenseShield Technology's sprotect.sys driver due to compatibility issues. Upgrade blocks have also been implemented for devices with incompatible software or hardware, including Dirac audio improvement software and certain applications.

Winsage

April 9, 2025

Microsoft releases KB5055523 update to fix a glut of Windows 11 problems

Microsoft has released the KB5055523 update for Windows 11, which includes various fixes and enhancements. Key improvements include a fix for the Explorer context menu issue, increased reliability of ctfmon.exe, and resolution of a Kerberos authentication problem related to RC4 encryption. New features for Copilot+ PC users include an improved Windows Search with semantic indexing, natural language search for cloud-stored photos, enhanced communication capabilities with live captions and real-time translation, and support for real-time translation into Simplified Chinese on Snapdragon-powered devices. The update also addresses issues with machine password rotation in the Identity Update Manager, updates for Daylight Saving Time in Chile, and unexpected behavior in the PcaUiArmUpdate feature. KB5055523 will be automatically installed for users.

Winsage

April 9, 2025

Patch Tuesday fixes an exploited bug, but not for Windows 10

Microsoft's Patch Tuesday updates addressed over 120 vulnerabilities, including one actively exploited flaw (CVE-2025-29824) and 11 critical issues. CVE-2025-29824 is an elevation of privilege vulnerability in the Windows Common Log File System Driver, targeted by the group Storm-2460 to deploy ransomware called PipeMagic, affecting victims in the US, Spain, Venezuela, and Saudi Arabia. This vulnerability has a CVSS score of 7.8 and allows attackers to escalate privileges due to a use-after-free flaw. Patches for Windows Server and Windows 11 have been released, but Windows 10 users are still awaiting a fix, with Microsoft promising updates soon. Among the critical vulnerabilities addressed, all allow for remote code execution (RCE). Notable vulnerabilities include: - CVE-2025-26670: LDAP Client RCE, Critical, CVSS 8.1 - CVE-2025-27752: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-29791: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-27745: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27748: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27749: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27491: Windows Hyper-V RCE, Critical, CVSS 7.1 - CVE-2025-26663: Windows LDAP RCE, Critical, CVSS 8.1 - CVE-2025-27480: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-27482: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-26686: Windows TCP/IP RCE, Critical, CVSS 7.5 - CVE-2025-29809: Windows Kerberos Security Feature Bypass, Important, CVSS 7.1 Dustin Childs from ZDI noted that CVE-2025-29809 requires additional measures beyond standard patching. CVE-2025-26663 and CVE-2025-26670 are considered wormable, necessitating prompt updates, especially for networks exposing LDAP services. Adobe released over 50 fixes for vulnerabilities in products like Cold Fusion, After Effects, and Photoshop, with some issues in Cold Fusion classified as critical. AMD updated advisories regarding GPU access and various Ryzen AI software vulnerabilities.