Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes

We Keep you Connected

Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes

The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.
The new attack chain “can be used for sensitive information gathering purposes and to enable follow-on activity,” enterprise security firm Proofpoint said in a Monday report.
At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.
The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks’ success.
The ZIP attachments – which are the most common delivery mechanism – come with an HTML file that’s designed to contact an actor-controlled Server Message Block (SMB) server.
“TA577’s objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used,” the company said, which could then be used for pass-the-hash (PtH) type attacks.
This means that adversaries who are in possession of a password hash do not need the underlying password to authenticate a session, ultimately enabling them to move through a network and gain unauthorized access to valuable data.
TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.
“The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods,” Proofpoint said.
It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.
State of AI in the Cloud 2024
Find out what 150,000+ cloud accounts revealed about the AI surge.
Goodbye, Atlassian Server. Goodbye… Backups?
Protect your data on Atlassian Cloud from disaster with daily backups and on-demand restores.
Take Action Fast with Censys Search for Security Teams
Stay ahead of advanced threat actors with best-in-class threat intelligence from Censys Search.
Find out what 150,000+ cloud accounts revealed about the AI surge.
From Humans to Bots: Every Identity in Your SaaS App Could Be a Backdoor for Cybercriminals.
Learn how to protect your innovations from emerging security threats with expert advice.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE