Summary: HiveNightmare isn't an attack itself, but can be used by attackers to use your Windows password without knowing what it is. This is a useful tool for them to get better access if someone downloaded shady software or allowed access to their computer.
What's HiveNightmare?
It's been a rough month for Microsoft with several major exploits being released. HiveNightmare (also called SeriousSAM) is the latest that we know about. This isn't necessarily an attack on it's own. It's better thought of as a tool. If an attacker is able to gain access to your computer through shady software, scam downloads, scam remote support, or other attacks this tool allows them to read the Security Accounts Manager database. This database is a hashed (encrypted) store of passwords used on the computer.
Normally this database is so locked down that even as the legitimate user of the computer you can't read or access it. This is done to prevent a normal user from accessing things they shouldn't like the credentials an administrator used. Recent patches from Microsoft somehow broke the security on the SAM database and allowed normal users to access it.
Remember that the database is encrypted? While an attacker can't actually read your passwords from the database they can still use them in what's called a "pass the hash" attack. An attacker can actually use your hashed password as-is to authenticate themselves to other computers and servers. This is called "lateral movement". The attacker moves from an unimportant user workstation to a very important server. This is where things become very bad. Generally these attacks are used by attackers to spread ransomware and steal your important files so they can demand money.
Mitigating Factors:
- If you're one of our clients, you guessed it, we've already contacted you and applied fixes for this.
- The exploit cannot be run remotely and requires access to the target computer.
- The exploit applies to only a small subset of patched computers.
How to Fix HiveNightmare:
A simple command (ran as administrator) will restrict the database properly again. It's best to also delete the VSS copies to prevent old versions of the database from being accessed but consider that this will also delete local backups if you need to restore something. It's best not to rely only on Windows VSS alone and have a third-party cloud backup service.
icacls %windir%\system32\config\*.* /inheritance:e
If you're not comfortable with this or uncertain what to do, we're happy to help! Contact us at 888-526-1631 or on our website. We'll update this article once Microsoft releases a patch for this and it's been tested.