New Cybercriminal Tactic Exposed

Cybercriminal Group TA577 Targets Organizations Globally, Stealing NTLM Authentication Info with New Technique 

Cybersecurity researchers at Proofpoint have observed a new technique used by the cybercriminal group TA577. This group is aiming to steal NT LAN Manager (NTLM) authentication information via a technique that could be exploited for data gathering and facilitating further malicious activities.

The researchers identified two campaigns conducted by TA577 on February 26 and 27, 2024, which targeted hundreds of organizations globally through tens of thousands of deceptive email messages. 

These emails contained zipped HTML attachments and were designed to initiate a connection to an external Server Message Block (SMB) server in order to capture NTLM hashes [T1187]. The researchers concluded that TA577's objective was to steal NTLM hashes for use in password cracking or "Pass-The-Hash" attacks [T1550.002] within the targeted organizations. The delivery method, which involves a malicious HTML file within a zip archive [T1027] is specifically designed to bypass security measures.

Relevance: 

• Phishing Campaigns
  

Mitigations:  

• NTLM has been phased out in favor of Kerberos authentication in Windows. While Windows 11 has moved away from using NTLM as a standard protocol, it continues to support it for third-party vendors and enterprises. Microsoft has advised Windows admins to disable NTLM.  

• User awareness training. 

• Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. If access to external resources over SMB is necessary, then traffic should be tightly limited with allowlisting. 

• Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained. 

• Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems. 

• Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy. 

  • Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. 

• Do not allow a domain user to be in the local administrator group on multiple systems.
  

Reference

1. Mascellino, A. (2024, March 4). TA577 exploits NTLM authentication vulnerability. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/ta577-exploits-ntlm-authentication/?&web_view=true 

2. Forced Authentication, Technique T1187 - Enterprise | MITRE ATT&CK. https://attack.mitre.org/techniques/T1187/ 

3. Use Alternate Authentication Material: Pass the Hash, Sub-Technique T1550.002 - Enterprise | MITRE ATT&CK. https://attack.mitre.org/techniques/T1550/002/ 

4. Obfuscated Files or Information, Technique T1027 - Enterprise | MITRE ATT&CK. https://attack.mitre.org/techniques/T1027/  
   

How can CyberForce|Q services help you address this risk?

Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to solutions@cyberforceq.com.

Learn more about CyberForce|Q.