Rewterz Threat Alert – TA577 Leverages Phishing to Steal Windows NTLM Authentication Hashes – Active IOCs

Severity

High

Analysis Summary

The threat actor group tracked as TA577 has recently been observed leveraging phishing emails to commit theft of NT LAN Manager (NTLM) authentication hashes to compromise accounts. The threat actor has been showing a preference for utilizing PikaBot, but two recent attack waves show a shift in tactics.

TA577 is an initial access broker that has been linked with QBot and Black Basta ransomware infections in the past. New campaigns by the threat actor were launched on February 26 and 27, 2024, that sent out thousands of messages to hundreds of organizations across the world and specifically targeted the employees’ NTLM hashes. NTLM hashes are used in Windows for session security and authentication, able to be captured for offline password cracking to gain the plaintext password.

They can also be used in pass-the-hash attacks where cracking the password isn’t involved, but instead, the threat actors use the hash to authenticate to a service or remote server. Under some circumstances, the stolen hashes can allow cybercriminals to achieve privilege escalation, gain sensitive information, move laterally in the breached network, evade detection from security products, and hijack accounts.

The latest campaign starts with phishing emails that use a technique called thread hijacking in which the emails seem like replies to the target’s previous conversations. These emails contain unique ZIP archives that have HTML files, using META refresh HTML tags to gain an automatic connection to a text file present on an external Server Message Block (SMB) server.

Once the device with Windows connects to the server, it will automatically try to carry out an NTLMv2 Challenge/Response, enabling the remote actor-controlled server to commit NTLM authentication hash theft. Security researchers observed that TA577 propagated the malicious HTML in a ZIP archive to create a local file on the system. The attack would not work on Outlook mail clients if the file scheme URI was sent directly within the email, since it was patched in July 2023. These URLs don’t deliver any malware payloads, making it clear that their main purpose is to grab NTLM hashes.

The researchers found specific artifacts that were present on the SMB servers, like an open-source toolkit Impacket, showing that those servers have been used in phishing attacks. Notably, multi-factor authentication (MFA) must have been disabled on these accounts so that the attackers could easily use the stolen hashes to breach networks. It’s also possible that the stolen hashes may not be used to breach networks but instead to perform reconnaissance to search for high-value targets.

Just restricting guest access to SMB servers will not mitigate the attack by TA577 since it uses automatic authentication to the external server to bypass any need for guest access. However, a potentially effective measure that can be taken is to configure a firewall to block all outbound SMB connections, usually ports 139 and 445, which will stop the sending of NTLM hashes. It is also recommended to implement email filtering to block messages containing zipped HTML files since these are capable of triggering connections to dangerous endpoints when launched.

It is possible to configure the Windows group policy ‘Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers’ that can prevent sending NTLM hashes, but it may result in authentication issues for legitimate servers. For organizations that use Windows 11, there is an additional feature introduced for Windows 11 users that allows them to block NTLM-based attacks over SMBs, which seems to be an effective remediation.

Impact

• Privilege Escalation
• Sensitive Information Theft
• Credential Theft

Indicators of Compromise

URL

• http://89.117.1.161/mtdi/ZQCw.txt
• http://89.117.2.33/hvwsuw/udrh.txt
• http://146.19.213.36/vei/yEZZ.txt
• http://176.123.2.146/vbcsn/UOx.txt

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise IOCs in your environment utilizing your respective security controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Implement ongoing phishing awareness training for partners and staff.
• Implement a web application firewall to filter out malicious traffic and protect against common web-based threats. 
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Be vigilant and thoroughly check the URL to see if it’s legitimate before downloading apps.