Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails
Summary:
On Tuesday, Microsoft released a security patch for a NTLM hash disclosure spoofing vulnerability (CVE-2024-43451) that could exploited to steal a user’s NTLMv2 hash. The vulnerability requires minimal user interaction and is exploited by generating a malicious URL file that can be activated through seemingly harmless actions:
Security Officer Comments:
The attacks have been attributed to the suspected Russian threat group, UAC-0194, underscoring the ongoing wave of cyberattacks emanating from Russia amid the war in Ukraine.
The deployment of SparkRAT allows the attackers to gain remote control over the targeted system. According to ClearSky Cyber Security, the adversaries employed several techniques to maintain persistence on the infected system, including the creation of scheduled tasks.
During their investigation, researchers observed that a sandbox execution of the malicious URL file attempted to pass the NTLM (NT Lan Manager) hash through the SMB3 (Server Message Block) protocol. This hash could potentially be used in a Pass-the-Hash attack, enabling the attacker to impersonate the user associated with the captured hash without needing the corresponding password.
Suggested Corrections:
Organizations should implement advanced email filtering to block phishing attempts and use endpoint detection and response (EDR) solutions to monitor suspicious activity. Restricting the use of SMB, applying network segmentation, and monitoring SMB traffic can help prevent Pass-the-Hash attacks. Additionally, enforcing multi-factor authentication, limiting administrative privileges, and rotating credentials regularly will reduce the impact of stolen credentials. Finally, conducting threat hunting, applying timely patches, and hardening systems are essential to detect and prevent further exploitation of vulnerabilities like CVE-2024-43451
Link(s):
https://www.clearskysec.com/wp-content/uploads/2024/11/Zero-day-cve-2024-4351-report.pdf
On Tuesday, Microsoft released a security patch for a NTLM hash disclosure spoofing vulnerability (CVE-2024-43451) that could exploited to steal a user’s NTLMv2 hash. The vulnerability requires minimal user interaction and is exploited by generating a malicious URL file that can be activated through seemingly harmless actions:
- A single right-click on the file (all Windows versions).
- Deleting the file (Windows 10/11).
- Dragging the file to another folder (Windows 10/11 and some Windows 7/8/8.1 configurations).
Security Officer Comments:
The attacks have been attributed to the suspected Russian threat group, UAC-0194, underscoring the ongoing wave of cyberattacks emanating from Russia amid the war in Ukraine.
The deployment of SparkRAT allows the attackers to gain remote control over the targeted system. According to ClearSky Cyber Security, the adversaries employed several techniques to maintain persistence on the infected system, including the creation of scheduled tasks.
During their investigation, researchers observed that a sandbox execution of the malicious URL file attempted to pass the NTLM (NT Lan Manager) hash through the SMB3 (Server Message Block) protocol. This hash could potentially be used in a Pass-the-Hash attack, enabling the attacker to impersonate the user associated with the captured hash without needing the corresponding password.
Suggested Corrections:
Organizations should implement advanced email filtering to block phishing attempts and use endpoint detection and response (EDR) solutions to monitor suspicious activity. Restricting the use of SMB, applying network segmentation, and monitoring SMB traffic can help prevent Pass-the-Hash attacks. Additionally, enforcing multi-factor authentication, limiting administrative privileges, and rotating credentials regularly will reduce the impact of stolen credentials. Finally, conducting threat hunting, applying timely patches, and hardening systems are essential to detect and prevent further exploitation of vulnerabilities like CVE-2024-43451
Link(s):
https://www.clearskysec.com/wp-content/uploads/2024/11/Zero-day-cve-2024-4351-report.pdf