Hackers Using Phishing Attacks to Steal NTLM Authentication Hashes

The notorious hacking group identified as TA577 is now engaging in sophisticated phishing schemes aimed at capturing NTLM authentication hashes, a crucial security component within Windows environments. This maneuver is part of an alarming trend towards more direct attacks on account security.

TA577, with historical ties to the Qbot malware and Black Basta ransomware campaigns, is an initial access broker. Despite its previous inclination towards deploying Pikabot malware, recent activities suggest a pivot towards exploiting authentication protocols.

The Phishing Campaign Unveiled

Proofpoint, an email security leader, revealed that TA577 launched potent attack waves on February 26 and 27, 2024. These attacks targeted a vast array of organizations globally, with the primary aim of pilfering NTLM hashes from unsuspecting employees.

NTLM hashes serve as a cornerstone for authentication and session security in Windows systems. Attackers covet these hashes for their potential use in offline password cracking or in “pass-the-hash” intrusions, which bypass the need for actual passwords to gain unauthorized access to services.

The attackers’ use phishing emails crafted to appear as legitimate follow-ups to ongoing conversations, a tactic known as thread hijacking. These emails contain personalized ZIP files with HTML documents that, upon opening, initiate connections to malicious external servers designed to capture the NTLM hashes.

Sample of an email using thread hijacking (Source: Proofpoint)

The Intricacies and Implications of the Attack

Proofpoint’s insights highlight the attackers’ cunning use of ZIP archives to circumvent security measures in updated Outlook clients. The absence of malware in these attacks underscores the hackers’ singular focus on acquiring authentication data.

“It is notable that TA577 delivered the malicious HTML in a zip archive to generate a local file on the host,” Proofpoint reports, emphasizing the tactical avoidance of direct email attachments which could be thwarted by recent Outlook patches.

The theft of NTLM hashes poses a severe risk, potentially allowing cybercriminals to escalate privileges and navigate networks undetected. The presence of tools like Impacket on the attackers’ servers further indicates their phishing intentions.

Experts like Brian from Pittsburgh and vulnerability researcher Will Dormann suggest that these attacks could be aimed at either direct network breaches, in cases where multi-factor authentication is disabled, or as reconnaissance to identify high-value targets.

Safeguarding Against the Threat

While restricting guest access on SMB servers is a basic security measure, it falls short against these sophisticated attacks.

Proofpoint advises the implementation of stringent email filtering, blocking of outbound SMB connections, and the activation of specific Windows group policies to mitigate the risk. 

For Windows 11 users, Microsoft has introduced advanced security features to combat such NTLM-based threats effectively.

Final Word

The evolution of phishing techniques to target NTLM authentication underscores the need for constant vigilance and robust security measures. Organizations must stay abreast of emerging threats and adapt their defenses to protect against these sophisticated cybercriminal endeavors.