- If ChatGPT produces AI-generated code for your app, who does it really belong to?
- The best iPhone power banks of 2024: Expert tested and reviewed
- The best NAS devices of 2024: Expert tested
- Four Ways to Harden Your Code Against Security Vulnerabilities and Weaknesses
- I converted this Windows 11 Mini PC into a Linux workstation - and didn't regret it
Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes
The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.
The new attack chain “can be used for sensitive information gathering purposes and to enable follow-on activity,” enterprise security firm Proofpoint said in a Monday report.
At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.
The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks’ success.
The ZIP attachments – which are the most common delivery mechanism – come with an HTML file that’s designed to contact an actor-controlled Server Message Block (SMB) server.
“TA577’s objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used,” the company said, which could then be used for pass-the-hash (PtH) type attacks.
This means that adversaries who are in possession of a password hash do not need the underlying password to authenticate a session, ultimately enabling them to move through a network and gain unauthorized access to valuable data.
TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.
“The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods,” Proofpoint said.
It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.