A new NTLM relay attack called PetitPotam has been discovered that allows threat actors to take over a domain controller, with proof of concept code published. 

Many organizations utilize Microsoft Active Directory Certificate Services, which is a public key infrastructure (PKI) server that can be used to authenticate users, services, and machines on a Windows domain. The attack involves what’s known as an NTLM relay attack, which is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system.

First updated 2021-07-27, 18:14 UTC
Last updated 2021-07-28, 18:57 UTC

How are Sophos customers protected?

Sophos Firewall/UTM products can mitigate the vulnerability using IPS. There is no action required for Sophos Firewall and UTM customers as IPS signatures are automatically deployed.

Sophos MTR customers have already been advised of this issue. The Sophos MTR team is monitoring for ongoing activity and for networking attempts to exploit this vulnerability.

Sophos (XG) Firewall and Sophos UTM

IPS signatures were published on July 28, 2021
SIDs are 57965, 57966

Associated Links