Mar 05, 2024NewsroomEmail Security / Network Security

The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.

The new attack chain “can be used for sensitive information gathering purposes and to enable follow-on activity,” enterprise security firm Proofpoint said in a Monday report.

At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.

The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks’ success.

The ZIP attachments come with an HTML file that’s designed to contact an actor-controlled Server Message Block (SMB) server.

“TA577’s objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used,” the company said, which could then be used for pass-the-hash (PtH) type attacks.

This means that adversaries who are in possession of a password hash do not need the underlying password to authenticate a session, ultimately enabling them to move through a network and gain unauthorized access to valuable data.

TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.

“The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods,” Proofpoint said.

It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.

Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide.

The attacks, attributed to an “aggressive” hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils.

Cybersecurity firm Trend Micro assessed these intrusions as a “cost-efficient method of automating attempts to brute-force its way into the networks” of its targets, noting the adversary may have compromised thousands of email accounts over time.

APT28 is also tracked by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.

The group, believed to be active since at least 2009, is operated by Russia’s GRU military intelligence service and has a track record of orchestrating spear-phishing containing malicious attachments or strategic web compromises to activate the infection chains.

In April 2023, APT28 was implicated in attacks leveraging now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against select targets.

The nation-state actor, in December, came under the spotlight for exploiting a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and WinRAR (CVE-2023-38831, CVSS score: 7.8) to access a user’s Net-NTLMv2 hash and use it to stage an NTLM Relay attack against another service to authenticate as the user.

An exploit for CVE-2023-23397 is said to have been used to target Ukrainian entities as early as April 2022, according to a March 2023 advisory from CERT-EU.

It has also been observed leveraging lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace, alongside striking Ukrainian government entities and Polish organizations with phishing messages designed to deploy backdoors and information stealers like OCEANMAP, MASEPIE, and STEELHOOK.

One of the significant aspects of the threat actor’s attacks is the continuous attempt to improve its operational playbook, fine-tuning and tinkering with its approaches to evade detection.

This includes the addition of anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers to carry out scanning and probing activities. Another tactic entails sending spear-phishing messages from compromised email accounts over Tor or VPN.

“Pawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites,” security researchers Feike Hacquebord and Fernando Merces said.

“Part of the group’s post-exploitation activities involve the modification of folder permissions within the victim’s mailbox, leading to enhanced persistence,” the researchers said. “Using the victim’s email accounts, lateral movement is possible by sending additional malicious email messages from within the victim organization.”

It’s currently not known if the threat actor themselves breached these routers, or if it is using routers that were already compromised by a third-party actor. That said, no less than 100 EdgeOS routers are estimated to have been infected.

Furthermore, recent credential harvesting campaigns against European governments have used bogus login pages mimicking Microsoft Outlook that are hosted on webhook[.]site URLs, a pattern previously attributed to the group.

An October 2022 phishing campaign, however, singled out embassies and other high-profile entities to deliver a “simple” information stealer via emails that captured files matching specific extensions and exfiltrated them to a free file-sharing service named Keep.sh.

“The loudness of the repetitive, oftentimes crude and aggressive campaigns, drown out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that might occur once Pawn Storm gets an initial foothold in victim organizations,” the researchers said.

The development comes as Recorded Future News revealed an ongoing hacking campaign undertaken by the Russian threat actor COLDRIVER (aka Calisto, Iron Frontier, or Star Blizzard) that impersonates researchers and academics to redirect prospective victims to credential harvesting pages.

Jan 29, 2024NewsroomVulnerability / NTML Security

A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file.

The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was addressed by the tech giant as part of its Patch Tuesday updates for December 2023.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft said in an advisory released last month.

In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.”

Put differently, the adversary would have to convince users to click a link, either embedded in a phishing email or sent via an instant message, and then deceive them into opening the file in question.

CVE-2023-35636 is rooted in the calendar-sharing function in the Outlook email application, wherein a malicious email message is created by inserting two headers “Content-Class” and “x-sharing-config-url” with crafted values in order to expose a victim’s NTLM hash during authentication.

Varonis security researcher Dolev Taler, who has been credited with discovering and reporting the bug, said NTLM hashes could be leaked by leveraging Windows Performance Analyzer (WPA) and Windows File Explorer. These two attack methods, however, remain unpatched.

“What makes this interesting is that WPA attempts to authenticate using NTLM v2 over the open web,” Taler said.

“Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.”

The disclosure comes as Check Point revealed a case of “forced authentication” that could be weaponized to leak a Windows user’s NTLM tokens by tricking a victim into opening a rogue Microsoft Access file.

Microsoft, in October 2023, announced plans to discontinue NTLM in Windows 11 in favor of Kerberos for improved security owing to the fact that it does not support cryptographic methods and is susceptible to relay attacks.