TA577 Attacking organizations to Steal NTLM Authentication Data

A cybercriminal threat actor known as TA577 has been identified as employing a new attack strategy to steal NT LAN Manager (NTLM) authentication information.

This sophisticated activity is designed to gather sensitive information and facilitate subsequent malicious actions.

Technical Analysis

Proofpoint uncovered two distinct campaigns orchestrated by TA577 on February 26 and 27, 2024.

These campaigns involved tens of thousands of messages targeting numerous organizations worldwide.

The attackers utilized thread hijacking, where messages were disguised as replies to previous emails and contained zipped HTML attachments tailored for each recipient.

The malicious attachments, each with a unique file hash, triggered system connection attempts via HTML files to an external Server Message Block (SMB) server.

By capturing NTLMv2 Challenge/Response pairs from the SMB server, TA577 aimed to steal NTLM hashes for potential password cracking or “Pass-The-Hash” attacks within targeted organizations.

Using the open-source toolkit Impacket on the SMB servers indicated the attackers’ intent to exploit vulnerabilities and move laterally within compromised environments.

Proofpoint’s research highlighted the increasing trend of threat actors utilizing file scheme URIs to direct victims to external file shares for malware delivery.

Implications and Mitigation

Allowing connections to these compromised SMB servers posed risks of compromising NTLM hashes and exposing sensitive information like usernames and domain names.

Notably, the attackers delivered the malicious HTML within zip archives to evade detection by Outlook mail clients.

Disabling guest access to SMB did not prevent the attack, emphasizing the need for proactive security measures.

TA577, a well-known cybercrime threat actor previously associated with ransomware infections like Black Basta, has recently shifted towards using Pikabot as an initial payload.

This shift in tactics underscores the evolving nature of cyber threats and the importance of staying vigilant against emerging attack vectors.

Emerging Threats and Recommendations

Organizations are advised to block outbound SMB connections to mitigate risks associated with such attacks and stay abreast of emerging threat signatures.

TA577’s innovative tactics underscore the evolving landscape of cyber threats, necessitating continuous vigilance and proactive cybersecurity measures to safeguard against sophisticated attacks.

• 2044665 – ET INFO Outbound SMB NTLM Auth Attempt to External Address 
• 2051116 – ET INFO Outbound SMB2 NTLM Auth Attempt to External Address 
• 2051432 – ET INFO [ANY.RUN] Impacket Framework Default SMB Server GUID Detected
• 2051433 – ET INFO Impacket Framework Default SMB NTLMSSP Challenge

IOCs

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.