Hello, welcome to the Monday, April 30th, 2018 edition of the Santonet Stormsendors Stormcast. My name is Johannes Ulrich,

and I am recording from Jacksonville, Florida. I mentioned Tom was working on some exploits against the new

triple vulnerability. He published his post on Friday. Now, sort of interesting here that while they're using this brand new

Truple exploit, it's sort of a little bit of flashback here in the sense that they're defacing the site,

using Kurdish propaganda, and then they're actually registering themselves with Soan H. I didn't even know

that Zone H was still around. Soan H is a defacement mirror. That's where hackers take credit

for defacing websites. It was a big thing when I got started in Infosec, but of course,

not so much these last few years. And Checkpoint published a blog post

showing how PDFs can be used to steal Windows NTLM credentials. The problem with NTLM credentials is that

whenever a client connects to an SMB server, it automatically tries to authenticate.

So the trick that's usually being used in order to extract these credentials is I'm sending

you a document that contains content that appears to be located on an SMB share.

So as the user opens the PDF, PDF reader tries to connect

to the SMB share, and with that it transmits the user's credentials. Now, they're hash, but we all

know hashes can be brute forced. Now, don't wait for Adobe to fix this. Adobe is actually

referring to Microsoft and Microsoft's

guidance is to disable NTLM single sign-on authentication for public resources, which should

limit the impact of this problem.

And well, I've mentioned it multiple times before you should block all outbound SMB connections.

This is just one of many ways how NetHacker could possibly trick you into sending

credentials to a malicious SMB share.

And talking about Microsoft and bugs that won't be fixed anytime soon,

...