November 13, 2024 at 04:37PM
Suspected Russian hackers exploited a recently patched Windows vulnerability (CVE-2024-43451) targeting Ukrainian entities. This NTLM Hash Disclosure flaw allows attackers to steal user login credentials via phishing emails. Microsoft confirmed the vulnerability’s exploitation requires minimal user interaction and has affected all supported Windows versions, prompting CISA to issue a security directive.
**Meeting Takeaways:**
1. **Zero-Day Exploitation Detected**: Suspected Russian hackers are exploiting a recently patched Windows vulnerability (CVE-2024-43451) targeting Ukrainian entities.
2. **Vulnerability Details**: The security flaw is an NTLM Hash Disclosure spoofing vulnerability. It can potentially be exploited to steal users’ NTLMv2 hashes via remote server connections initiated through user interactions.
3. **Attack Methodology**: ClearSky researchers discovered phishing emails designed to exploit this vulnerability. These contained links that, when activated by users, downloaded malicious shortcut files from a compromised server.
4. **Malware Deployment**: When the vulnerability is triggered, it connects to a remote server to download malware, including SparkRAT, which allows attackers to control the infected systems remotely.
5. **Connection to Threat Group**: The attacks have been linked to a threat group identified as UAC-0194, believed to be Russian in origin. This information was shared with Ukraine’s Computer Emergency Response Team (CERT-UA).
6. **Microsoft’s Response**: Microsoft patched the vulnerability as part of the November 2024 Patch Tuesday update, confirming that user interaction is required for exploitation.
7. **Scope of Affected Systems**: CVE-2024-43451 impacts all supported Windows versions, including Windows 10 and later, as well as Windows Server 2008 and higher.
8. **CISA Involvement**: The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog and has mandated remediation by December 3, as per the Binding Operational Directive (BOD) 22-01.
9. **Risk Acknowledgment**: CISA emphasized that such vulnerabilities are common attack vectors for cyber actors and present significant risks to federal systems.
**Action Items:**
– Ensure all relevant systems are patched by the December 3 deadline.
– Increase awareness and training on recognizing phishing attempts among users.
– Maintain close monitoring of systems for signs of exploitation.