Hello, welcome to the Friday, May 17th, 2019 edition of the Sandton and Storms, Stormcast. My name is

Johannes Ulrich. And the I am recording from Jacksonville, Florida. Xavier came across an interesting

attack, taking advantage of authenticated vulnerability scans. In this particular case, the attacker was trying

to do an NTLM relay attack. Now, an NTLM relay attack does need an authenticated user that actually

logs in into a system in order to then relay the connections and that way take advantage of credentials.

The user being used here happened to be the vulnerability scanner.

Now, the advantage of an attacker using a vulnerability scanner is that first of all, the credentials

usually work with pretty much all systems on the network.

Secondly, there are sometimes elevated credentials in order to accurately assess the target system for security vulnerabilities.

Also, in monitoring connections from the vulnerability scanner to many hosts your network may not really

show up as an anomaly because that's what vulnerability scanners do unlike any other user that

usually only logs in to a couple different systems in which case well it sort of shows up

if you're looking for it and that's sort of one of the standard anomalies that many systems look for, where you have one user connecting all of a sudden to many different systems.

Not too much you can do about this.

You do want a vulnerability scanner.

You do want it to authenticate itself.

The real fix here is to prevent

these NTLM relay attacks using SMB version 3 and enabling SMB signing. And remember, it may not

be that easy to pull off the attack without the vulnerability scanner, but of course it's still possible, so it's not the vulnerability

scanner really sort of being necessary here for the attacker. And Aaron won an important court

battle regarding the fraudulent transfer of IPV4 addresses. Due to IPV4 addresses being in short supply IPV4

addresses of course have been transferred between companies but in this case the

...