GRC Viewpoint

Phishing attacks lead to theft of Windows NTLM authentication codes

The cybercriminal group TA577 has recently updated their strategy to hijack accounts by phishing for NTLM (NT LAN Manager) authentication hashes. Recognized for their connections to Qbot and the Black Basta ransomware, TA577 has traditionally focused on deploying malware, but recent actions suggest a shift towards direct theft of authentication credentials.

In late February 2024, Proofpoint, an email security company, observed TA577 launching large-scale phishing attacks aimed at capturing NTLM hashes from employees across numerous organizations globally. NTLM hashes are critical for authentication and security within Windows environments. Attackers can use these hashes in several malicious ways, including offline cracking to discover passwords and “pass-the-hash” techniques that bypass the need for the actual password, potentially leading to escalated privileges, account hijackings, and extensive network infiltration.

The phishing scheme involves emails that seemingly continue previous conversations (thread hijacking) and carry ZIP files with HTML content. These HTML files are designed to initiate connections to external SMB servers under the attacker’s control, triggering an automatic NTLMv2 Challenge/Response process that leaks the NTLM hashes to the attackers.

Proofpoint’s findings highlight the use of non-standard tools like the Impacket toolkit on SMB servers, indicating their role in phishing attacks. The primary objective appears to be hash theft, with no malware payloads being delivered through this campaign. This tactic suggests a potentially broader strategy of reconnaissance, identifying valuable targets for future attacks.

The significance of these attacks is underscored by the limited effectiveness of traditional security measures against such phishing techniques. Blocking outbound SMB connections and implementing advanced email filtering to catch zipped HTML files are among the recommended defensive actions. Windows 11 users benefit from an additional security feature that blocks NTLM-based attacks over SMB, offering a layer of protection not available in older versions of the operating system.

This evolution in TA577’s approach serves as a reminder of the constantly changing landscape of cybersecurity threats and the necessity for organizations to adapt their defences accordingly.

Related Articles

Latest Articles